FAC Explorer

Audit 347304

FY End
2024-08-31
Total Expended
$19.72M
Findings
8
Programs
12
Organization: Finger Lakes Community College (NY)
Year: 2024 Accepted: 2025-03-21
Auditor: Bonadio & CO LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
529261 2024-001 Significant Deficiency - N
529262 2024-001 Significant Deficiency - N
529263 2024-001 Significant Deficiency - N
529264 2024-001 Significant Deficiency - N
1105703 2024-001 Significant Deficiency - N
1105704 2024-001 Significant Deficiency - N
1105705 2024-001 Significant Deficiency - N
1105706 2024-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $10.05M Yes 1
84.063 Federal Pell Grant Program $8.08M Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $229,656 Yes 1
84.002 Adult Education - Basic Grants to States $221,533 - 0
84.033 Federal Work-Study Program $103,989 Yes 1
97.036 Disaster Grants - Public Assistance (presidentially Declared Disasters) $79,565 - 0
81.087 Renewable Energy Research and Development $77,369 - 0
84.215 Innovative Approaches to Literacy; Promise Neighborhoods; Full-Service Community Schools; and Congressionally Directed Spending for Elementary and Secondary Education Community Projects $48,060 - 0
84.048 Career and Technical Education -- Basic Grants to States $31,686 - 0
12.800 Air Force Defense Research Sciences Program $7,720 - 0
20.616 National Priority Safety Programs $2,942 - 0
47.076 Stem Education (formerly Education and Human Resources) $1,879 - 0

Contacts

Name Title Type
RHAVTVGK6GX8 Jason Tack Auditee
5857851208 Karen Lynch Auditor
No contacts on file

Notes to SEFA

Title: 1. GENERAL Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimis indirect cost rate as allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (the Schedule) summarizes the expenditures of Finger Lakes Community College (the College) under programs of the federal government for the year ended August 31, 2024 and has been prepared in conformity with accounting principles generally accepted in the United States of America. The information in this schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, it is not intended to and does not present the financial position, changes in financial position, or cash flows of the College.
Title: 2. BASIS OF ACCOUNTING Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimis indirect cost rate as allowed under the Uniform Guidance. Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement.
Title: 3. INDIRECT COST RATE Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimis indirect cost rate as allowed under the Uniform Guidance. The College has elected not to use the 10% de minimis indirect cost rate as allowed under the Uniform Guidance.

Finding Details

Finding 2024-001
Finding 2024-001 - 84.268, 84.063, 84.033, 84.007 Student Financial Aid Cluster Federal Agency - U.S. Department of Education Grant Period - Year ended August 31, 2024 Criteria: Institutions participating in Title IV programs are required to comply with various laws and regulations as part of their signed Program Participation Agreement (PPA), including but not limited to, the Federal Trade Commission’s Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (Title 16, Chapter I, Subchapter C, Part 314). Condition: The College has not performed a thorough information security risk assessment which should include consideration of internal and external risks and the sufficiency of the safeguards in place to control the risks identified. Many of the policies in place are outdated and have not been updated for potential changes in the College’s operations. Given the pace of change in the technology environment, outdated policies are unlikely to fully capture current circumstances. Cause: The College’s information security program does not include procedures for the performance of regular risk assessments. Effect: As the College has not performed a thorough information security risk assessment, it may be unaware of the risks to its sensitive data, specifically datasets protected under GLBA. Many policies are outdated and may not reflect the actual processes in place. Recommendation: The College should work to implement a standardized and detailed risk management framework, such as those provided by National Institute of Standards and Technology (NIST). Risk assessment documentation should include detailed information regarding current procedures in place, justifications for scoring, safeguards for each identified risk, and remediation plans. As part of this process, the College should then review the current policies and procedures at least annually to determine if any updates should be made.
Finding 2024-001
Finding 2024-001 - 84.268, 84.063, 84.033, 84.007 Student Financial Aid Cluster Federal Agency - U.S. Department of Education Grant Period - Year ended August 31, 2024 Criteria: Institutions participating in Title IV programs are required to comply with various laws and regulations as part of their signed Program Participation Agreement (PPA), including but not limited to, the Federal Trade Commission’s Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (Title 16, Chapter I, Subchapter C, Part 314). Condition: The College has not performed a thorough information security risk assessment which should include consideration of internal and external risks and the sufficiency of the safeguards in place to control the risks identified. Many of the policies in place are outdated and have not been updated for potential changes in the College’s operations. Given the pace of change in the technology environment, outdated policies are unlikely to fully capture current circumstances. Cause: The College’s information security program does not include procedures for the performance of regular risk assessments. Effect: As the College has not performed a thorough information security risk assessment, it may be unaware of the risks to its sensitive data, specifically datasets protected under GLBA. Many policies are outdated and may not reflect the actual processes in place. Recommendation: The College should work to implement a standardized and detailed risk management framework, such as those provided by National Institute of Standards and Technology (NIST). Risk assessment documentation should include detailed information regarding current procedures in place, justifications for scoring, safeguards for each identified risk, and remediation plans. As part of this process, the College should then review the current policies and procedures at least annually to determine if any updates should be made.
Finding 2024-001
Finding 2024-001 - 84.268, 84.063, 84.033, 84.007 Student Financial Aid Cluster Federal Agency - U.S. Department of Education Grant Period - Year ended August 31, 2024 Criteria: Institutions participating in Title IV programs are required to comply with various laws and regulations as part of their signed Program Participation Agreement (PPA), including but not limited to, the Federal Trade Commission’s Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (Title 16, Chapter I, Subchapter C, Part 314). Condition: The College has not performed a thorough information security risk assessment which should include consideration of internal and external risks and the sufficiency of the safeguards in place to control the risks identified. Many of the policies in place are outdated and have not been updated for potential changes in the College’s operations. Given the pace of change in the technology environment, outdated policies are unlikely to fully capture current circumstances. Cause: The College’s information security program does not include procedures for the performance of regular risk assessments. Effect: As the College has not performed a thorough information security risk assessment, it may be unaware of the risks to its sensitive data, specifically datasets protected under GLBA. Many policies are outdated and may not reflect the actual processes in place. Recommendation: The College should work to implement a standardized and detailed risk management framework, such as those provided by National Institute of Standards and Technology (NIST). Risk assessment documentation should include detailed information regarding current procedures in place, justifications for scoring, safeguards for each identified risk, and remediation plans. As part of this process, the College should then review the current policies and procedures at least annually to determine if any updates should be made.
Finding 2024-001
Finding 2024-001 - 84.268, 84.063, 84.033, 84.007 Student Financial Aid Cluster Federal Agency - U.S. Department of Education Grant Period - Year ended August 31, 2024 Criteria: Institutions participating in Title IV programs are required to comply with various laws and regulations as part of their signed Program Participation Agreement (PPA), including but not limited to, the Federal Trade Commission’s Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (Title 16, Chapter I, Subchapter C, Part 314). Condition: The College has not performed a thorough information security risk assessment which should include consideration of internal and external risks and the sufficiency of the safeguards in place to control the risks identified. Many of the policies in place are outdated and have not been updated for potential changes in the College’s operations. Given the pace of change in the technology environment, outdated policies are unlikely to fully capture current circumstances. Cause: The College’s information security program does not include procedures for the performance of regular risk assessments. Effect: As the College has not performed a thorough information security risk assessment, it may be unaware of the risks to its sensitive data, specifically datasets protected under GLBA. Many policies are outdated and may not reflect the actual processes in place. Recommendation: The College should work to implement a standardized and detailed risk management framework, such as those provided by National Institute of Standards and Technology (NIST). Risk assessment documentation should include detailed information regarding current procedures in place, justifications for scoring, safeguards for each identified risk, and remediation plans. As part of this process, the College should then review the current policies and procedures at least annually to determine if any updates should be made.
Finding 2024-001
Finding 2024-001 - 84.268, 84.063, 84.033, 84.007 Student Financial Aid Cluster Federal Agency - U.S. Department of Education Grant Period - Year ended August 31, 2024 Criteria: Institutions participating in Title IV programs are required to comply with various laws and regulations as part of their signed Program Participation Agreement (PPA), including but not limited to, the Federal Trade Commission’s Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (Title 16, Chapter I, Subchapter C, Part 314). Condition: The College has not performed a thorough information security risk assessment which should include consideration of internal and external risks and the sufficiency of the safeguards in place to control the risks identified. Many of the policies in place are outdated and have not been updated for potential changes in the College’s operations. Given the pace of change in the technology environment, outdated policies are unlikely to fully capture current circumstances. Cause: The College’s information security program does not include procedures for the performance of regular risk assessments. Effect: As the College has not performed a thorough information security risk assessment, it may be unaware of the risks to its sensitive data, specifically datasets protected under GLBA. Many policies are outdated and may not reflect the actual processes in place. Recommendation: The College should work to implement a standardized and detailed risk management framework, such as those provided by National Institute of Standards and Technology (NIST). Risk assessment documentation should include detailed information regarding current procedures in place, justifications for scoring, safeguards for each identified risk, and remediation plans. As part of this process, the College should then review the current policies and procedures at least annually to determine if any updates should be made.
Finding 2024-001
Finding 2024-001 - 84.268, 84.063, 84.033, 84.007 Student Financial Aid Cluster Federal Agency - U.S. Department of Education Grant Period - Year ended August 31, 2024 Criteria: Institutions participating in Title IV programs are required to comply with various laws and regulations as part of their signed Program Participation Agreement (PPA), including but not limited to, the Federal Trade Commission’s Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (Title 16, Chapter I, Subchapter C, Part 314). Condition: The College has not performed a thorough information security risk assessment which should include consideration of internal and external risks and the sufficiency of the safeguards in place to control the risks identified. Many of the policies in place are outdated and have not been updated for potential changes in the College’s operations. Given the pace of change in the technology environment, outdated policies are unlikely to fully capture current circumstances. Cause: The College’s information security program does not include procedures for the performance of regular risk assessments. Effect: As the College has not performed a thorough information security risk assessment, it may be unaware of the risks to its sensitive data, specifically datasets protected under GLBA. Many policies are outdated and may not reflect the actual processes in place. Recommendation: The College should work to implement a standardized and detailed risk management framework, such as those provided by National Institute of Standards and Technology (NIST). Risk assessment documentation should include detailed information regarding current procedures in place, justifications for scoring, safeguards for each identified risk, and remediation plans. As part of this process, the College should then review the current policies and procedures at least annually to determine if any updates should be made.
Finding 2024-001
Finding 2024-001 - 84.268, 84.063, 84.033, 84.007 Student Financial Aid Cluster Federal Agency - U.S. Department of Education Grant Period - Year ended August 31, 2024 Criteria: Institutions participating in Title IV programs are required to comply with various laws and regulations as part of their signed Program Participation Agreement (PPA), including but not limited to, the Federal Trade Commission’s Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (Title 16, Chapter I, Subchapter C, Part 314). Condition: The College has not performed a thorough information security risk assessment which should include consideration of internal and external risks and the sufficiency of the safeguards in place to control the risks identified. Many of the policies in place are outdated and have not been updated for potential changes in the College’s operations. Given the pace of change in the technology environment, outdated policies are unlikely to fully capture current circumstances. Cause: The College’s information security program does not include procedures for the performance of regular risk assessments. Effect: As the College has not performed a thorough information security risk assessment, it may be unaware of the risks to its sensitive data, specifically datasets protected under GLBA. Many policies are outdated and may not reflect the actual processes in place. Recommendation: The College should work to implement a standardized and detailed risk management framework, such as those provided by National Institute of Standards and Technology (NIST). Risk assessment documentation should include detailed information regarding current procedures in place, justifications for scoring, safeguards for each identified risk, and remediation plans. As part of this process, the College should then review the current policies and procedures at least annually to determine if any updates should be made.
Finding 2024-001
Finding 2024-001 - 84.268, 84.063, 84.033, 84.007 Student Financial Aid Cluster Federal Agency - U.S. Department of Education Grant Period - Year ended August 31, 2024 Criteria: Institutions participating in Title IV programs are required to comply with various laws and regulations as part of their signed Program Participation Agreement (PPA), including but not limited to, the Federal Trade Commission’s Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (Title 16, Chapter I, Subchapter C, Part 314). Condition: The College has not performed a thorough information security risk assessment which should include consideration of internal and external risks and the sufficiency of the safeguards in place to control the risks identified. Many of the policies in place are outdated and have not been updated for potential changes in the College’s operations. Given the pace of change in the technology environment, outdated policies are unlikely to fully capture current circumstances. Cause: The College’s information security program does not include procedures for the performance of regular risk assessments. Effect: As the College has not performed a thorough information security risk assessment, it may be unaware of the risks to its sensitive data, specifically datasets protected under GLBA. Many policies are outdated and may not reflect the actual processes in place. Recommendation: The College should work to implement a standardized and detailed risk management framework, such as those provided by National Institute of Standards and Technology (NIST). Risk assessment documentation should include detailed information regarding current procedures in place, justifications for scoring, safeguards for each identified risk, and remediation plans. As part of this process, the College should then review the current policies and procedures at least annually to determine if any updates should be made.