FAC Explorer

Audit 344457

FY End
2024-07-31
Total Expended
$17.79M
Findings
24
Programs
9
Organization: Illinois Wesleyan University (IL)
Year: 2024 Accepted: 2025-03-03
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
525237 2024-001 Significant Deficiency - N
525238 2024-001 Significant Deficiency - N
525239 2024-001 Significant Deficiency - N
525240 2024-001 Significant Deficiency - N
525241 2024-001 Significant Deficiency - N
525242 2024-001 Significant Deficiency - N
525243 2024-002 Significant Deficiency - N
525244 2024-002 Significant Deficiency - N
525245 2024-002 Significant Deficiency - N
525246 2024-002 Significant Deficiency - N
525247 2024-002 Significant Deficiency - N
525248 2024-002 Significant Deficiency - N
1101679 2024-001 Significant Deficiency - N
1101680 2024-001 Significant Deficiency - N
1101681 2024-001 Significant Deficiency - N
1101682 2024-001 Significant Deficiency - N
1101683 2024-001 Significant Deficiency - N
1101684 2024-001 Significant Deficiency - N
1101685 2024-002 Significant Deficiency - N
1101686 2024-002 Significant Deficiency - N
1101687 2024-002 Significant Deficiency - N
1101688 2024-002 Significant Deficiency - N
1101689 2024-002 Significant Deficiency - N
1101690 2024-002 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $10.92M Yes 2
84.063 Federal Pell Grant Program $2.32M Yes 2
93.364 Nursing Student Loans $1.89M Yes 2
84.038 Federal Perkins Loan Program_federal Capital Contributions $938,064 Yes 2
84.033 Federal Work-Study Program $316,565 Yes 2
84.007 Federal Supplemental Educational Opportunity Grants $239,050 Yes 2
47.076 Stem Education (formerly Education and Human Resources) $157,776 - 0
59.037 Small Business Development Centers $115,000 - 0
21.019 Coronavirus Relief Fund $103,117 - 0

Contacts

Name Title Type
CWWDCJCNE3L1 David Myron Auditee
3095561000 Kyla Greenhoe Auditor
No contacts on file

Notes to SEFA

Title: BASIS OF PRESENTATION Accounting Policies: The University has four-year predetermined fixed indirect cost rates, effective August 1, 2017 through July 31, 2021, which have been negotiated with the Department of Health and Human Services. The University has applied for a new rate for the period August 1, 2023 through July 31, 2026, and requested a provisional rate be used for the year ended July 31, 2024. The predetermined fixed rates were based on the University’s financial information for fiscal year 2012. The base rates for on and off campus were 45% and 15%, respectively, of modified total direct costs. Subsequent to year end, the University received the approved rate effective August 1, 2024 through July 31, 2028 increasing the base rate for on and off campus to 49% and 17%, respectively. Approximately $30,000 of indirect costs was reimbursed to the University during the year ended July 31, 2024. The University does not use the de minimis indirect cost rate of 10%. De Minimis Rate Used: N Rate Explanation: The de minimis cost rate was not used. The accompanying schedule of expenditures of federal awards (the Schedule) summarizes the federal expenditures incurred by Illinois Wesleyan University (the University) under awards received from the federal government for the year ended July 31, 2024. For purposes of the Schedule, federal awards include all grants, contracts, loans, and loan guarantee agreements entered into directly between the University and agencies and departments of the federal government. Expenditures for federal award programs are recognized on the accrual basis of accounting.
Title: INDIRECT COST Accounting Policies: The University has four-year predetermined fixed indirect cost rates, effective August 1, 2017 through July 31, 2021, which have been negotiated with the Department of Health and Human Services. The University has applied for a new rate for the period August 1, 2023 through July 31, 2026, and requested a provisional rate be used for the year ended July 31, 2024. The predetermined fixed rates were based on the University’s financial information for fiscal year 2012. The base rates for on and off campus were 45% and 15%, respectively, of modified total direct costs. Subsequent to year end, the University received the approved rate effective August 1, 2024 through July 31, 2028 increasing the base rate for on and off campus to 49% and 17%, respectively. Approximately $30,000 of indirect costs was reimbursed to the University during the year ended July 31, 2024. The University does not use the de minimis indirect cost rate of 10%. De Minimis Rate Used: N Rate Explanation: The de minimis cost rate was not used. The University has four-year predetermined fixed indirect cost rates, effective August 1, 2017 through July 31, 2021, which have been negotiated with the Department of Health and Human Services. The University has applied for a new rate for the period August 1, 2023 through July 31, 2026, and requested a provisional rate be used for the year ended July 31, 2024. The predetermined fixed rates were based on the University’s financial information for fiscal year 2012. The base rates for on and off campus were 45% and 15%, respectively, of modified total direct costs. Subsequent to year end, the University received the approved rate effective August 1, 2024 through July 31, 2028 increasing the base rate for on and off campus to 49% and 17%, respectively. Approximately $30,000 of indirect costs was reimbursed to the University during the year ended July 31, 2024. The University does not use the de minimis indirect cost rate of 10%.
Title: FEDERAL STUDENT LOAN PROGRAMS Accounting Policies: The University has four-year predetermined fixed indirect cost rates, effective August 1, 2017 through July 31, 2021, which have been negotiated with the Department of Health and Human Services. The University has applied for a new rate for the period August 1, 2023 through July 31, 2026, and requested a provisional rate be used for the year ended July 31, 2024. The predetermined fixed rates were based on the University’s financial information for fiscal year 2012. The base rates for on and off campus were 45% and 15%, respectively, of modified total direct costs. Subsequent to year end, the University received the approved rate effective August 1, 2024 through July 31, 2028 increasing the base rate for on and off campus to 49% and 17%, respectively. Approximately $30,000 of indirect costs was reimbursed to the University during the year ended July 31, 2024. The University does not use the de minimis indirect cost rate of 10%. De Minimis Rate Used: N Rate Explanation: The de minimis cost rate was not used. Loans disbursed by the University to eligible students under federal student loan programs and federally guaranteed loans issued to students of the University during the year ended July 31, 2024 are summarized as follows: The balance of loans outstanding for these programs consists of the following amounts: The University is responsible only for the performance of certain administrative duties on behalf of the U.S. Department of Education with respect to the Direct Loan Program, and accordingly, the outstanding balances of these loans are not included in its financial statements and it is not practical to determine the balance of loans outstanding to students and former students of the University under these programs at July 31, 2024. The Federal Perkins Loan Program (Perkins) is administered directly by the University, and balances and transactions relating to this program are included in the University’s financial statements. The balance of loans outstanding under the Perkins program was $672,408 and $938,064 at July 31, 2024 and 2023, respectively. The Nursing Student Loan Program (NSL) is administered directly by the University, and balances and transactions relating to this program are included in the University’s financial statements. The balance of loans outstanding under the NSL program was $1,628,549 and $1,650,654 at July 31, 2024 and 2023, respectively.

Finding Details

Finding 2024-001
2024 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 22 students of our sample of forty (40) were reported to NSLDS 1 day early. The final grades for graduating students were due 5/01/24, and the University reported graduates on 4/30/2024. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. The University had a change in the school year calendar that was not updated in the system before being reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
2024 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 22 students of our sample of forty (40) were reported to NSLDS 1 day early. The final grades for graduating students were due 5/01/24, and the University reported graduates on 4/30/2024. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. The University had a change in the school year calendar that was not updated in the system before being reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
2024 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 22 students of our sample of forty (40) were reported to NSLDS 1 day early. The final grades for graduating students were due 5/01/24, and the University reported graduates on 4/30/2024. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. The University had a change in the school year calendar that was not updated in the system before being reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
2024 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 22 students of our sample of forty (40) were reported to NSLDS 1 day early. The final grades for graduating students were due 5/01/24, and the University reported graduates on 4/30/2024. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. The University had a change in the school year calendar that was not updated in the system before being reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
2024 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 22 students of our sample of forty (40) were reported to NSLDS 1 day early. The final grades for graduating students were due 5/01/24, and the University reported graduates on 4/30/2024. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. The University had a change in the school year calendar that was not updated in the system before being reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
2024 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 22 students of our sample of forty (40) were reported to NSLDS 1 day early. The final grades for graduating students were due 5/01/24, and the University reported graduates on 4/30/2024. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. The University had a change in the school year calendar that was not updated in the system before being reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
2024 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 22 students of our sample of forty (40) were reported to NSLDS 1 day early. The final grades for graduating students were due 5/01/24, and the University reported graduates on 4/30/2024. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. The University had a change in the school year calendar that was not updated in the system before being reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
2024 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 22 students of our sample of forty (40) were reported to NSLDS 1 day early. The final grades for graduating students were due 5/01/24, and the University reported graduates on 4/30/2024. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. The University had a change in the school year calendar that was not updated in the system before being reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
2024 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 22 students of our sample of forty (40) were reported to NSLDS 1 day early. The final grades for graduating students were due 5/01/24, and the University reported graduates on 4/30/2024. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. The University had a change in the school year calendar that was not updated in the system before being reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
2024 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 22 students of our sample of forty (40) were reported to NSLDS 1 day early. The final grades for graduating students were due 5/01/24, and the University reported graduates on 4/30/2024. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. The University had a change in the school year calendar that was not updated in the system before being reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
2024 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 22 students of our sample of forty (40) were reported to NSLDS 1 day early. The final grades for graduating students were due 5/01/24, and the University reported graduates on 4/30/2024. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. The University had a change in the school year calendar that was not updated in the system before being reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
2024 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 22 students of our sample of forty (40) were reported to NSLDS 1 day early. The final grades for graduating students were due 5/01/24, and the University reported graduates on 4/30/2024. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. The University had a change in the school year calendar that was not updated in the system before being reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2023-2024 Award Period: August 1, 2023 – July 31, 2024 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.