FAC Explorer

Audit 344346

FY End
2024-05-31
Total Expended
$11.75M
Findings
12
Programs
7
Organization: Wartburg College (IA)
Year: 2024 Accepted: 2025-02-28
Auditor: Baker Tilly US LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
525033 2024-001 - - N
525034 2024-001 - - N
525035 2024-001 - - N
525036 2024-001 - - N
525037 2024-001 - - N
525038 2024-001 - - N
1101475 2024-001 - - N
1101476 2024-001 - - N
1101477 2024-001 - - N
1101478 2024-001 - - N
1101479 2024-001 - - N
1101480 2024-001 - - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $8.55M Yes 1
84.063 Federal Pell Grant Program $1.71M Yes 1
84.038 Federal Perkins Loan Program_federal Capital Contributions $984,239 Yes 1
84.033 Federal Work-Study Program $260,158 Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $166,128 Yes 1
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $82,984 Yes 1
47.076 Stem Education (formerly Education and Human Resources) $2,912 - 0

Contacts

Name Title Type
ELF8YWQKZPN7 Carolyn Hughes Auditee
3193528642 Nicki Donlon Auditor
No contacts on file

Notes to SEFA

Title: Basis of Presentation Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Pass-through entity identifying numbers are presented where available. De Minimis Rate Used: N Rate Explanation: N/A The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal award activity of the Wartburg College under programs of the federal government for the year ended May 31, 2024. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, it is not intended to and does not present the financial position, changes in net assets or cash flows of the College.
Title: Summary of Significant Accounting Policies Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Pass-through entity identifying numbers are presented where available. De Minimis Rate Used: N Rate Explanation: N/A Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Pass-through entity identifying numbers are presented where available.
Title: Indirect Cost Rate Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Pass-through entity identifying numbers are presented where available. De Minimis Rate Used: N Rate Explanation: N/A The College has not elected to use the 10% de minimis indirect cost rate.
Title: Federal Perkins Loan Program Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Pass-through entity identifying numbers are presented where available. De Minimis Rate Used: N Rate Explanation: N/A The Federal Perkins Loan Program is administered directly by the College, and balances and transactions related to this program are included in the College's basic financial statements. Loan outstanding at the beginning of the year and loans made during the year are included in the federal expenditures in the Schedule. Federal Perkins loans outstanding at May 31, 2024 totaled $475,582.

Finding Details

Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The College does not have a written information security program that addresses all required elements that apply. Cause: The College did not have procedures and processes in place specific to GLBA during fiscal year 2024 and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the College at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: We noted the College’s policies in effect during fiscal year 2024 contained four of the 16 required elements. The College should perform and document an annual risk assessment to determine the College’s specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The reported issue arises from the absence of written documentation outlining policies and procedures related to GLBA requirements. This matter is being addressed by the Chief Information Officer responsible for overseeing a new information technology services (ITS) policy document. A draft of the ITS policy document has been created and awaiting approval which will specifically address the cybersecurity requirements of GLBA.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The College does not have a written information security program that addresses all required elements that apply. Cause: The College did not have procedures and processes in place specific to GLBA during fiscal year 2024 and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the College at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: We noted the College’s policies in effect during fiscal year 2024 contained four of the 16 required elements. The College should perform and document an annual risk assessment to determine the College’s specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The reported issue arises from the absence of written documentation outlining policies and procedures related to GLBA requirements. This matter is being addressed by the Chief Information Officer responsible for overseeing a new information technology services (ITS) policy document. A draft of the ITS policy document has been created and awaiting approval which will specifically address the cybersecurity requirements of GLBA.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The College does not have a written information security program that addresses all required elements that apply. Cause: The College did not have procedures and processes in place specific to GLBA during fiscal year 2024 and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the College at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: We noted the College’s policies in effect during fiscal year 2024 contained four of the 16 required elements. The College should perform and document an annual risk assessment to determine the College’s specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The reported issue arises from the absence of written documentation outlining policies and procedures related to GLBA requirements. This matter is being addressed by the Chief Information Officer responsible for overseeing a new information technology services (ITS) policy document. A draft of the ITS policy document has been created and awaiting approval which will specifically address the cybersecurity requirements of GLBA.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The College does not have a written information security program that addresses all required elements that apply. Cause: The College did not have procedures and processes in place specific to GLBA during fiscal year 2024 and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the College at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: We noted the College’s policies in effect during fiscal year 2024 contained four of the 16 required elements. The College should perform and document an annual risk assessment to determine the College’s specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The reported issue arises from the absence of written documentation outlining policies and procedures related to GLBA requirements. This matter is being addressed by the Chief Information Officer responsible for overseeing a new information technology services (ITS) policy document. A draft of the ITS policy document has been created and awaiting approval which will specifically address the cybersecurity requirements of GLBA.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The College does not have a written information security program that addresses all required elements that apply. Cause: The College did not have procedures and processes in place specific to GLBA during fiscal year 2024 and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the College at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: We noted the College’s policies in effect during fiscal year 2024 contained four of the 16 required elements. The College should perform and document an annual risk assessment to determine the College’s specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The reported issue arises from the absence of written documentation outlining policies and procedures related to GLBA requirements. This matter is being addressed by the Chief Information Officer responsible for overseeing a new information technology services (ITS) policy document. A draft of the ITS policy document has been created and awaiting approval which will specifically address the cybersecurity requirements of GLBA.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The College does not have a written information security program that addresses all required elements that apply. Cause: The College did not have procedures and processes in place specific to GLBA during fiscal year 2024 and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the College at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: We noted the College’s policies in effect during fiscal year 2024 contained four of the 16 required elements. The College should perform and document an annual risk assessment to determine the College’s specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The reported issue arises from the absence of written documentation outlining policies and procedures related to GLBA requirements. This matter is being addressed by the Chief Information Officer responsible for overseeing a new information technology services (ITS) policy document. A draft of the ITS policy document has been created and awaiting approval which will specifically address the cybersecurity requirements of GLBA.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The College does not have a written information security program that addresses all required elements that apply. Cause: The College did not have procedures and processes in place specific to GLBA during fiscal year 2024 and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the College at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: We noted the College’s policies in effect during fiscal year 2024 contained four of the 16 required elements. The College should perform and document an annual risk assessment to determine the College’s specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The reported issue arises from the absence of written documentation outlining policies and procedures related to GLBA requirements. This matter is being addressed by the Chief Information Officer responsible for overseeing a new information technology services (ITS) policy document. A draft of the ITS policy document has been created and awaiting approval which will specifically address the cybersecurity requirements of GLBA.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The College does not have a written information security program that addresses all required elements that apply. Cause: The College did not have procedures and processes in place specific to GLBA during fiscal year 2024 and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the College at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: We noted the College’s policies in effect during fiscal year 2024 contained four of the 16 required elements. The College should perform and document an annual risk assessment to determine the College’s specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The reported issue arises from the absence of written documentation outlining policies and procedures related to GLBA requirements. This matter is being addressed by the Chief Information Officer responsible for overseeing a new information technology services (ITS) policy document. A draft of the ITS policy document has been created and awaiting approval which will specifically address the cybersecurity requirements of GLBA.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The College does not have a written information security program that addresses all required elements that apply. Cause: The College did not have procedures and processes in place specific to GLBA during fiscal year 2024 and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the College at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: We noted the College’s policies in effect during fiscal year 2024 contained four of the 16 required elements. The College should perform and document an annual risk assessment to determine the College’s specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The reported issue arises from the absence of written documentation outlining policies and procedures related to GLBA requirements. This matter is being addressed by the Chief Information Officer responsible for overseeing a new information technology services (ITS) policy document. A draft of the ITS policy document has been created and awaiting approval which will specifically address the cybersecurity requirements of GLBA.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The College does not have a written information security program that addresses all required elements that apply. Cause: The College did not have procedures and processes in place specific to GLBA during fiscal year 2024 and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the College at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: We noted the College’s policies in effect during fiscal year 2024 contained four of the 16 required elements. The College should perform and document an annual risk assessment to determine the College’s specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The reported issue arises from the absence of written documentation outlining policies and procedures related to GLBA requirements. This matter is being addressed by the Chief Information Officer responsible for overseeing a new information technology services (ITS) policy document. A draft of the ITS policy document has been created and awaiting approval which will specifically address the cybersecurity requirements of GLBA.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The College does not have a written information security program that addresses all required elements that apply. Cause: The College did not have procedures and processes in place specific to GLBA during fiscal year 2024 and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the College at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: We noted the College’s policies in effect during fiscal year 2024 contained four of the 16 required elements. The College should perform and document an annual risk assessment to determine the College’s specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The reported issue arises from the absence of written documentation outlining policies and procedures related to GLBA requirements. This matter is being addressed by the Chief Information Officer responsible for overseeing a new information technology services (ITS) policy document. A draft of the ITS policy document has been created and awaiting approval which will specifically address the cybersecurity requirements of GLBA.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The College does not have a written information security program that addresses all required elements that apply. Cause: The College did not have procedures and processes in place specific to GLBA during fiscal year 2024 and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the College at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: We noted the College’s policies in effect during fiscal year 2024 contained four of the 16 required elements. The College should perform and document an annual risk assessment to determine the College’s specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The reported issue arises from the absence of written documentation outlining policies and procedures related to GLBA requirements. This matter is being addressed by the Chief Information Officer responsible for overseeing a new information technology services (ITS) policy document. A draft of the ITS policy document has been created and awaiting approval which will specifically address the cybersecurity requirements of GLBA.