FAC Explorer

Audit 344637

FY End
2024-06-30
Total Expended
$27.08M
Findings
22
Programs
7
Organization: Bethany College (KS)
Year: 2024 Accepted: 2025-03-04
Auditor: Rubinbrown LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
525553 2024-002 Significant Deficiency Yes N
525554 2024-001 Significant Deficiency - C
525555 2024-002 Significant Deficiency Yes N
525556 2024-003 Significant Deficiency - L
525557 2024-002 Significant Deficiency Yes N
525558 2024-002 Significant Deficiency Yes N
525559 2024-004 Significant Deficiency - L
525560 2024-002 Significant Deficiency Yes N
525561 2024-001 Significant Deficiency - C
525562 2024-002 Significant Deficiency Yes N
525563 2024-005 Significant Deficiency - N
1101995 2024-002 Significant Deficiency Yes N
1101996 2024-001 Significant Deficiency - C
1101997 2024-002 Significant Deficiency Yes N
1101998 2024-003 Significant Deficiency - L
1101999 2024-002 Significant Deficiency Yes N
1102000 2024-002 Significant Deficiency Yes N
1102001 2024-004 Significant Deficiency - L
1102002 2024-002 Significant Deficiency Yes N
1102003 2024-001 Significant Deficiency - C
1102004 2024-002 Significant Deficiency Yes N
1102005 2024-005 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
10.766 Community Facilities Loans and Grants $19.48M Yes 1
84.268 Federal Direct Student Loans $4.82M Yes 3
84.063 Federal Pell Grant Program $1.78M Yes 2
84.038 Federal Perkins Loan Program_federal Capital Contributions $695,826 Yes 2
84.033 Federal Work-Study Program $173,593 Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $123,980 Yes 1
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $15,088 Yes 1

Contacts

Name Title Type
MCHHM98PRN95 Steven Eckman Auditee
7852273380 Kaleb Lilly Auditor
No contacts on file

Notes to SEFA

Title: Basis of Presentation Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the ten percent de minimis indirect cost rate as allowed under the Uniform Guidance. The Schedule of Expenditures of Federal Awards (the Schedule) includes the federal grant activity of Bethany College (the College) under programs of the federal government for the year ended June 30, 2024. The information on the Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Principles, and Audit Requirements for Federal Awards (the Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, it is not intended to and does not present the financial position, changes in net assets, or cash flows of the College.
Title: Heightened Cash Monitoring Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the ten percent de minimis indirect cost rate as allowed under the Uniform Guidance. As a part of our audit procedures, we have tested the College's compliance with their administration of the heightened cash monitoring payment method and notification requirements as required by the Department of Education for the year ended June 30, 2024.
Title: Loan Programs Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the ten percent de minimis indirect cost rate as allowed under the Uniform Guidance. The federal loan programs listed below are administered directly by the College and the balances and transactions relating to this program are included in the College's basic financial statements. Loans outstanding at the beginning of the year are included in the federal expenditures presented in the Schedule. The balance of loans outstanding at June 30, 2024, consists of: "See the Notes to the SEFA for chart/table"
Title: Subrecipients Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the ten percent de minimis indirect cost rate as allowed under the Uniform Guidance. No federal awards were provided to subrecipients.

Finding Details

Finding 2024-002
Finding 2024-002 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests And Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by June 30, 2024. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is a repeat finding of 2023-005. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2025 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2024-001
Finding 2024-001 - Significant Deficiency, Compliance Federal Award No. 84.063, 84.268 U.S. Department Of Education Student Financial Aid Cluster – Cash Management Criteria: The U.S. Department of Education (ED) may place institutions on a Heightened Cash Monitoring (HCM) payment method to provide additional oversight of cash management. The College was placed on Heightened Cash Monitoring 1 (HCM1) as a requirement of its provisional approval of its program participation agreement. HCM1 requires that the College makes disbursements to eligible students from institutional funds and submits disbursement records to the Common Origination and Disbursement (COD) System before drawing down funds to cover those disbursements from G5. The College must also pay any credit balance due under 34 CFR 668.14(h), before it submits a request for funds. Condition: In our nonstatistical sample of 3 cash drawdowns, we noted 2 cash drawdowns completed in Fall 2023 for which refunds were not paid students from institutional funds prior to the funds being drawn down from G5 as required by the Heightened Cash Monitoring 1 requirements. We noted no instances of noncompliance for the Spring 2024 drawdown tested. Context: For the drawdown of Pell grant funds requested on September 15, 2023 and deposited on September 18, 2023 the College did not pay student refunds until September 19, 2023. The disbursement to the student accounts occurred on September 13, 2023, therefore funds were appropriately requested to cover fall awards; however, for any student for which the federal aid awards exceed the institutional charges, the College is required to pay the student refund prior to completing the drawdown for those students. For the drawdown of Direct Loan funds requested on September 29, 2023 and deposited on October 2, 2023 the College did not pay student refunds until October 4, 2023. The disbursements to the student accounts occurred on September 27, 2023 and September 28, 2023, therefore these funds were appropriately requested to cover fall awards; however, for any student for which the federal aid awards exceed the institutional charges, the College is required to pay the student refund prior to completing the drawdown for those students. Effect: The College is not meeting the requirements of heightened cash monitoring regulations. Questioned Costs: None noted. Cause: Bethany College did not have proper processes and related controls in place to ensure that heightened cash monitoring requirements were being met in the Fall 2023 semester. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The Financial Aid department and business office should put in place controls that would ensure that heightened cash monitoring requirements are met and that student refunds that are generated by federal awards are paid prior to drawing down funds. Views Of Responsible Officials (Unaudited): The College concurs with the finding and has adjusted its processes and controls beginning with the Spring 2024 semester to conduct a review of students for which refund payments need to be made prior to drawing down funds from G5. Completion Date: February 2024 Contact Person: Steven W. Eckman, President
Finding 2024-002
Finding 2024-002 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests And Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by June 30, 2024. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is a repeat finding of 2023-005. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2025 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2024-003
Finding 2024-003 - Significant Deficiency, Compliance Federal Award No. 84.268 U.S. Department Of Education Student Financial Aid Cluster – Reporting Criteria: According to the 2023-2024 COD Technical Reference and 2023-2024 SFA Handbook, the College must report accurate disbursement dates to Common Origination Disbursement (COD) for all direct loan disbursements made to students. Condition: In our nonstatistical sample of 40 student, we noted 1 student whose disbursement date listed in the College’s student records (10/12/23) differed by 14 days from the date of disbursement reported to COD (9/28/23) for the students’ PLUS loan disbursement. Context: The student in question had an anticipated disbursement date of 9/28/23 that was not updated for the actual disbursement date once the disbursement date was made by the College. Effect: Improperly reported disbursement dates could impact the amount of interest charged to a student. Questioned Costs: None noted. Cause: The College did not have proper processes and related controls in place to ensure that the disbursement date reported in COD agreed with the disbursement date in the College’s records. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The Financial Aid department should put in place controls that would ensure that all disbursements would be processed on the anticipated disbursement date as planned and controls that would detect if disbursements were processed at a later or earlier date and adjustments to dates reported to COD were necessary. Views Of Responsible Officials (Unaudited): The College concurs with the finding and has reviewed and where appropriate made updates to the processes used to report disbursement dates to COD and has corrected the disbursement date in COD for the student discrepancy noted. Completion Date: February 2024 Contact Person: Steven W. Eckman, President
Finding 2024-002
Finding 2024-002 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests And Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by June 30, 2024. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is a repeat finding of 2023-005. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2025 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2024-002
Finding 2024-002 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests And Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by June 30, 2024. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is a repeat finding of 2023-005. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2025 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2024-004
Finding 2024-004 - Significant Deficiency, Compliance Federal Award No. 84.038 U.S. Department Of Education Student Financial Aid Cluster – Reporting Criteria: Annually, the College is required to submit its Fiscal Operations Report and Application to Participate (FISAP) by October 1st of each year. The FISAP requires reporting primarily of key student financial aid data that ED has deemed necessary to assist with evaluating the College and is utilized to approve the College’s participation in Title IV funding levels for the fiscal year following the submission (ex. 2025-2026 academic year for report due October 1st, 2024). ED and the OMB have identified key line items in the 2024 Compliance Supplement that contain critical information that is required to be tested by the College’s auditors. One of the key line items required to be tested is Part III (Perkins): Section A, Line 1.1 Cash on hand and in depository which represents the amount of Perkins Loan funds cash held by the College at June 30, 2024 resulting from student loan repayments. Condition: The Perkins cash amount reported on Part III, Section A, Line 1.1 on the initial FISAP submitted for the year ended June 30, 2024, which was submitted timely prior to the October 1, 2024 deadline, totaled $231,958 as originally reported. The actual amount of cash held for the Perkins loan fund was $33,507 at June 30, 2024 per the College’s financial and banking records. The amount was not corrected until the discrepancy was identified during the audit testing of the FISAP. The College was able to correct the amount reported prior to the December 13, 2024 corrections due date. Context: The College utilized reports from its third party service provider to populate Part III (Perkin) of the FISAP. The third party service provider had not been informed of repayments made in the year ended June 30, 2024 to ED and to the College that were made as part of the annual distributional share calculation as funds are required to be repaid from the Perkins Cash held at the end of each fiscal year as the Perkins loan fund winds down. Therefore amounts listed in Part III (Perkins), Section A, Lines 1.1, 28.1, and 30.2 had not been updated properly on the initial FISAP submission. Effect: If the improper Perkins Cash was not corrected, the College could have been required to repay funds to ED using institutional funds. Questioned Costs: None noted. Cause: The College did not have proper processes and related controls in place to ensure that the amount reported on Part III (Perkins): Section A, Line 1.1 was accurate at June 30, 2024 as originally submitted. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should implement controls to specifically review Part III (Perkins): Section A, Line 1.1, 28.1, and 30.2 and ensure that the amounts reported agree with the College’s records prior to submission to ensure reporting is accurate. Views Of Responsible Officials (Unaudited): The College concurs with the finding and has taken corrective action by submitting a corrected FISAP with the accurate date prior to the FISAP corrections due date of December 13, 2024. Additionally, the College has established controls to ensure review of the Perkins section of the FISAP for the next reporting year. Completion Date: December 2024 Contact Person: Steven W. Eckman, President
Finding 2024-002
Finding 2024-002 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests And Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by June 30, 2024. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is a repeat finding of 2023-005. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2025 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2024-001
Finding 2024-001 - Significant Deficiency, Compliance Federal Award No. 84.063, 84.268 U.S. Department Of Education Student Financial Aid Cluster – Cash Management Criteria: The U.S. Department of Education (ED) may place institutions on a Heightened Cash Monitoring (HCM) payment method to provide additional oversight of cash management. The College was placed on Heightened Cash Monitoring 1 (HCM1) as a requirement of its provisional approval of its program participation agreement. HCM1 requires that the College makes disbursements to eligible students from institutional funds and submits disbursement records to the Common Origination and Disbursement (COD) System before drawing down funds to cover those disbursements from G5. The College must also pay any credit balance due under 34 CFR 668.14(h), before it submits a request for funds. Condition: In our nonstatistical sample of 3 cash drawdowns, we noted 2 cash drawdowns completed in Fall 2023 for which refunds were not paid students from institutional funds prior to the funds being drawn down from G5 as required by the Heightened Cash Monitoring 1 requirements. We noted no instances of noncompliance for the Spring 2024 drawdown tested. Context: For the drawdown of Pell grant funds requested on September 15, 2023 and deposited on September 18, 2023 the College did not pay student refunds until September 19, 2023. The disbursement to the student accounts occurred on September 13, 2023, therefore funds were appropriately requested to cover fall awards; however, for any student for which the federal aid awards exceed the institutional charges, the College is required to pay the student refund prior to completing the drawdown for those students. For the drawdown of Direct Loan funds requested on September 29, 2023 and deposited on October 2, 2023 the College did not pay student refunds until October 4, 2023. The disbursements to the student accounts occurred on September 27, 2023 and September 28, 2023, therefore these funds were appropriately requested to cover fall awards; however, for any student for which the federal aid awards exceed the institutional charges, the College is required to pay the student refund prior to completing the drawdown for those students. Effect: The College is not meeting the requirements of heightened cash monitoring regulations. Questioned Costs: None noted. Cause: Bethany College did not have proper processes and related controls in place to ensure that heightened cash monitoring requirements were being met in the Fall 2023 semester. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The Financial Aid department and business office should put in place controls that would ensure that heightened cash monitoring requirements are met and that student refunds that are generated by federal awards are paid prior to drawing down funds. Views Of Responsible Officials (Unaudited): The College concurs with the finding and has adjusted its processes and controls beginning with the Spring 2024 semester to conduct a review of students for which refund payments need to be made prior to drawing down funds from G5. Completion Date: February 2024 Contact Person: Steven W. Eckman, President
Finding 2024-002
Finding 2024-002 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests And Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by June 30, 2024. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is a repeat finding of 2023-005. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2025 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2024-005
Finding 2024-005 - Significant Deficiency, Compliance Federal Award No. 10.766 U.S. Department Of Agriculture Community Facilities Loan –Special Tests and Provisions Criteria: The USDA established in its Letter of Conditions dated September 13, 2017 certain annual requirements for the College to complete as part of its borrowing of the Community Facilities Loan that was completed in the year ended June 30, 2018. Condition: The College was informed via confirmation response obtained during the financial statement audit for the year ended June 30, 2024 that the College had not met all of its requirements established in the Letter of Conditions related to its Community Facilities Loan. Context: We received a confirmation response from Beverly Howard, State Community Programs Loan Technician with USDA as part of our confirmation of the USDA loan balance outstanding at June 30, 2024. The confirmation response provided indicated that the College was deficient in providing to USDA annual budgets, the Business Analysis Questionnaire and Supplemental Data (since the year ended June 30, 2019), proof of insurance (since the year ended June 30, 2022), and the June 30, 2021 annual audit under the Single Audit Act had not been provided to the USDA. Effect: Without the information requested by the USDA, the USDA may not be able to provide effective oversight of the College’s loan. Questioned Costs: None noted. Cause: Due to transition in management teams in prior years, management of the College from the year ended June 30, 2020 through the year ended June 30, 2024 was not made aware of all of the conditions listed in the USDA’s Letter of Conditions. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should implement controls to ensure that all of the conditions/requirements noted in the USDA’s Letter of Conditions are met and controls to ensure that the Letter of Conditions are communicated to all relevant parties in periods of management transitions. Views Of Responsible Officials (Unaudited): The College has provided to the USDA the required documentation that had been identified as not sufficiently provided and has established controls to ensure that the requirements listed in the Letter of Conditions will be met each year going forward. Completion Date: December 2024 Contact Person: Steven W. Eckman, President
Finding 2024-002
Finding 2024-002 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests And Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by June 30, 2024. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is a repeat finding of 2023-005. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2025 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2024-001
Finding 2024-001 - Significant Deficiency, Compliance Federal Award No. 84.063, 84.268 U.S. Department Of Education Student Financial Aid Cluster – Cash Management Criteria: The U.S. Department of Education (ED) may place institutions on a Heightened Cash Monitoring (HCM) payment method to provide additional oversight of cash management. The College was placed on Heightened Cash Monitoring 1 (HCM1) as a requirement of its provisional approval of its program participation agreement. HCM1 requires that the College makes disbursements to eligible students from institutional funds and submits disbursement records to the Common Origination and Disbursement (COD) System before drawing down funds to cover those disbursements from G5. The College must also pay any credit balance due under 34 CFR 668.14(h), before it submits a request for funds. Condition: In our nonstatistical sample of 3 cash drawdowns, we noted 2 cash drawdowns completed in Fall 2023 for which refunds were not paid students from institutional funds prior to the funds being drawn down from G5 as required by the Heightened Cash Monitoring 1 requirements. We noted no instances of noncompliance for the Spring 2024 drawdown tested. Context: For the drawdown of Pell grant funds requested on September 15, 2023 and deposited on September 18, 2023 the College did not pay student refunds until September 19, 2023. The disbursement to the student accounts occurred on September 13, 2023, therefore funds were appropriately requested to cover fall awards; however, for any student for which the federal aid awards exceed the institutional charges, the College is required to pay the student refund prior to completing the drawdown for those students. For the drawdown of Direct Loan funds requested on September 29, 2023 and deposited on October 2, 2023 the College did not pay student refunds until October 4, 2023. The disbursements to the student accounts occurred on September 27, 2023 and September 28, 2023, therefore these funds were appropriately requested to cover fall awards; however, for any student for which the federal aid awards exceed the institutional charges, the College is required to pay the student refund prior to completing the drawdown for those students. Effect: The College is not meeting the requirements of heightened cash monitoring regulations. Questioned Costs: None noted. Cause: Bethany College did not have proper processes and related controls in place to ensure that heightened cash monitoring requirements were being met in the Fall 2023 semester. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The Financial Aid department and business office should put in place controls that would ensure that heightened cash monitoring requirements are met and that student refunds that are generated by federal awards are paid prior to drawing down funds. Views Of Responsible Officials (Unaudited): The College concurs with the finding and has adjusted its processes and controls beginning with the Spring 2024 semester to conduct a review of students for which refund payments need to be made prior to drawing down funds from G5. Completion Date: February 2024 Contact Person: Steven W. Eckman, President
Finding 2024-002
Finding 2024-002 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests And Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by June 30, 2024. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is a repeat finding of 2023-005. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2025 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2024-003
Finding 2024-003 - Significant Deficiency, Compliance Federal Award No. 84.268 U.S. Department Of Education Student Financial Aid Cluster – Reporting Criteria: According to the 2023-2024 COD Technical Reference and 2023-2024 SFA Handbook, the College must report accurate disbursement dates to Common Origination Disbursement (COD) for all direct loan disbursements made to students. Condition: In our nonstatistical sample of 40 student, we noted 1 student whose disbursement date listed in the College’s student records (10/12/23) differed by 14 days from the date of disbursement reported to COD (9/28/23) for the students’ PLUS loan disbursement. Context: The student in question had an anticipated disbursement date of 9/28/23 that was not updated for the actual disbursement date once the disbursement date was made by the College. Effect: Improperly reported disbursement dates could impact the amount of interest charged to a student. Questioned Costs: None noted. Cause: The College did not have proper processes and related controls in place to ensure that the disbursement date reported in COD agreed with the disbursement date in the College’s records. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The Financial Aid department should put in place controls that would ensure that all disbursements would be processed on the anticipated disbursement date as planned and controls that would detect if disbursements were processed at a later or earlier date and adjustments to dates reported to COD were necessary. Views Of Responsible Officials (Unaudited): The College concurs with the finding and has reviewed and where appropriate made updates to the processes used to report disbursement dates to COD and has corrected the disbursement date in COD for the student discrepancy noted. Completion Date: February 2024 Contact Person: Steven W. Eckman, President
Finding 2024-002
Finding 2024-002 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests And Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by June 30, 2024. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is a repeat finding of 2023-005. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2025 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2024-002
Finding 2024-002 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests And Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by June 30, 2024. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is a repeat finding of 2023-005. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2025 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2024-004
Finding 2024-004 - Significant Deficiency, Compliance Federal Award No. 84.038 U.S. Department Of Education Student Financial Aid Cluster – Reporting Criteria: Annually, the College is required to submit its Fiscal Operations Report and Application to Participate (FISAP) by October 1st of each year. The FISAP requires reporting primarily of key student financial aid data that ED has deemed necessary to assist with evaluating the College and is utilized to approve the College’s participation in Title IV funding levels for the fiscal year following the submission (ex. 2025-2026 academic year for report due October 1st, 2024). ED and the OMB have identified key line items in the 2024 Compliance Supplement that contain critical information that is required to be tested by the College’s auditors. One of the key line items required to be tested is Part III (Perkins): Section A, Line 1.1 Cash on hand and in depository which represents the amount of Perkins Loan funds cash held by the College at June 30, 2024 resulting from student loan repayments. Condition: The Perkins cash amount reported on Part III, Section A, Line 1.1 on the initial FISAP submitted for the year ended June 30, 2024, which was submitted timely prior to the October 1, 2024 deadline, totaled $231,958 as originally reported. The actual amount of cash held for the Perkins loan fund was $33,507 at June 30, 2024 per the College’s financial and banking records. The amount was not corrected until the discrepancy was identified during the audit testing of the FISAP. The College was able to correct the amount reported prior to the December 13, 2024 corrections due date. Context: The College utilized reports from its third party service provider to populate Part III (Perkin) of the FISAP. The third party service provider had not been informed of repayments made in the year ended June 30, 2024 to ED and to the College that were made as part of the annual distributional share calculation as funds are required to be repaid from the Perkins Cash held at the end of each fiscal year as the Perkins loan fund winds down. Therefore amounts listed in Part III (Perkins), Section A, Lines 1.1, 28.1, and 30.2 had not been updated properly on the initial FISAP submission. Effect: If the improper Perkins Cash was not corrected, the College could have been required to repay funds to ED using institutional funds. Questioned Costs: None noted. Cause: The College did not have proper processes and related controls in place to ensure that the amount reported on Part III (Perkins): Section A, Line 1.1 was accurate at June 30, 2024 as originally submitted. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should implement controls to specifically review Part III (Perkins): Section A, Line 1.1, 28.1, and 30.2 and ensure that the amounts reported agree with the College’s records prior to submission to ensure reporting is accurate. Views Of Responsible Officials (Unaudited): The College concurs with the finding and has taken corrective action by submitting a corrected FISAP with the accurate date prior to the FISAP corrections due date of December 13, 2024. Additionally, the College has established controls to ensure review of the Perkins section of the FISAP for the next reporting year. Completion Date: December 2024 Contact Person: Steven W. Eckman, President
Finding 2024-002
Finding 2024-002 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests And Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by June 30, 2024. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is a repeat finding of 2023-005. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2025 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2024-001
Finding 2024-001 - Significant Deficiency, Compliance Federal Award No. 84.063, 84.268 U.S. Department Of Education Student Financial Aid Cluster – Cash Management Criteria: The U.S. Department of Education (ED) may place institutions on a Heightened Cash Monitoring (HCM) payment method to provide additional oversight of cash management. The College was placed on Heightened Cash Monitoring 1 (HCM1) as a requirement of its provisional approval of its program participation agreement. HCM1 requires that the College makes disbursements to eligible students from institutional funds and submits disbursement records to the Common Origination and Disbursement (COD) System before drawing down funds to cover those disbursements from G5. The College must also pay any credit balance due under 34 CFR 668.14(h), before it submits a request for funds. Condition: In our nonstatistical sample of 3 cash drawdowns, we noted 2 cash drawdowns completed in Fall 2023 for which refunds were not paid students from institutional funds prior to the funds being drawn down from G5 as required by the Heightened Cash Monitoring 1 requirements. We noted no instances of noncompliance for the Spring 2024 drawdown tested. Context: For the drawdown of Pell grant funds requested on September 15, 2023 and deposited on September 18, 2023 the College did not pay student refunds until September 19, 2023. The disbursement to the student accounts occurred on September 13, 2023, therefore funds were appropriately requested to cover fall awards; however, for any student for which the federal aid awards exceed the institutional charges, the College is required to pay the student refund prior to completing the drawdown for those students. For the drawdown of Direct Loan funds requested on September 29, 2023 and deposited on October 2, 2023 the College did not pay student refunds until October 4, 2023. The disbursements to the student accounts occurred on September 27, 2023 and September 28, 2023, therefore these funds were appropriately requested to cover fall awards; however, for any student for which the federal aid awards exceed the institutional charges, the College is required to pay the student refund prior to completing the drawdown for those students. Effect: The College is not meeting the requirements of heightened cash monitoring regulations. Questioned Costs: None noted. Cause: Bethany College did not have proper processes and related controls in place to ensure that heightened cash monitoring requirements were being met in the Fall 2023 semester. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The Financial Aid department and business office should put in place controls that would ensure that heightened cash monitoring requirements are met and that student refunds that are generated by federal awards are paid prior to drawing down funds. Views Of Responsible Officials (Unaudited): The College concurs with the finding and has adjusted its processes and controls beginning with the Spring 2024 semester to conduct a review of students for which refund payments need to be made prior to drawing down funds from G5. Completion Date: February 2024 Contact Person: Steven W. Eckman, President
Finding 2024-002
Finding 2024-002 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests And Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by June 30, 2024. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is a repeat finding of 2023-005. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2025 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2024-005
Finding 2024-005 - Significant Deficiency, Compliance Federal Award No. 10.766 U.S. Department Of Agriculture Community Facilities Loan –Special Tests and Provisions Criteria: The USDA established in its Letter of Conditions dated September 13, 2017 certain annual requirements for the College to complete as part of its borrowing of the Community Facilities Loan that was completed in the year ended June 30, 2018. Condition: The College was informed via confirmation response obtained during the financial statement audit for the year ended June 30, 2024 that the College had not met all of its requirements established in the Letter of Conditions related to its Community Facilities Loan. Context: We received a confirmation response from Beverly Howard, State Community Programs Loan Technician with USDA as part of our confirmation of the USDA loan balance outstanding at June 30, 2024. The confirmation response provided indicated that the College was deficient in providing to USDA annual budgets, the Business Analysis Questionnaire and Supplemental Data (since the year ended June 30, 2019), proof of insurance (since the year ended June 30, 2022), and the June 30, 2021 annual audit under the Single Audit Act had not been provided to the USDA. Effect: Without the information requested by the USDA, the USDA may not be able to provide effective oversight of the College’s loan. Questioned Costs: None noted. Cause: Due to transition in management teams in prior years, management of the College from the year ended June 30, 2020 through the year ended June 30, 2024 was not made aware of all of the conditions listed in the USDA’s Letter of Conditions. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should implement controls to ensure that all of the conditions/requirements noted in the USDA’s Letter of Conditions are met and controls to ensure that the Letter of Conditions are communicated to all relevant parties in periods of management transitions. Views Of Responsible Officials (Unaudited): The College has provided to the USDA the required documentation that had been identified as not sufficiently provided and has established controls to ensure that the requirements listed in the Letter of Conditions will be met each year going forward. Completion Date: December 2024 Contact Person: Steven W. Eckman, President