2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-002 Special Tests (Enrollment Reporting)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
Federal Grant Numbers: E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024)
Statistically Valid Sample: No, and it was not intended to be
Prior Year Finding: No
Finding Type: Significant Deficiency and Noncompliance
Criteria:
Under the Pell grant and the Direct and Federal Family Education Loan programs, institutions are required to report enrollment information via the National Student Loan Data System (NSLDS) (OMB No. 1845 0035). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update and certify student enrollment statuses, program information and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information.
There are two categories of enrollment information; “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk:
• OPEID number, enrollment effective date, enrollment status and certification date
Institutions are responsible for accurately reporting all Program Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk:
• OPEID number, CIP code, CIP year, credential level, published program length measurement, published program length, program begin date, program enrollment status and program enrollment effective date
Institutions are responsible for timely reporting, whether they report directly or via a third party servicer. Institutions must complete and return within 15 days the Enrollment Reporting roster file placed in their Student Aid Internet Gateway (SAIG) (OMB No. 1845 0002) mailboxes sent by ED via NSLDS. An institution determines how often it receives the Enrollment Reporting roster file with the default set at a minimum of every 60 days. Once received, the institution must update for changes in the data elements for the Campus Record and the Program Record identified above, and submit the changes electronically through the batch method, spreadsheet submittal, or the NSLDS website (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309: Perkins 34 CFR 674.19(f)).
Additionally, in accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
Condition and Context:
The University utilizes the National Student Clearinghouse (the Clearinghouse) as a service provider for transmissions of its enrollment reporting changes to the National Student Loan Data System (NSLDS). The University receives the Enrollment Reporting Roster and updates it for changes in student status. The file is sent to the Clearinghouse who transmits the updated information to NSLDS.
For one of sixty students selected for testwork, the University did not report the student’s status change of withdrawn to NSLDS within 60 days on the Campus Level Record. The student was reported 349 days late.
For two of sixty students selected for testwork, the withdrawn effective date for the students did not match between the University record, Campus-Level Record and Program-Level Record.
Cause:
For the student whose withdrawn status was reported late, the notification of withdrawn was provided to the Registrar timely, however the update in NSLDS was not recorded timely.
For the two students who did not have a consistently reported withdrawn dates between the University record, Campus-Level Record and Program-Level Record, the issue was due to a retroactive change to the status which was not reported timely.
Effect:
Student status changes not reported in a timely manner may cause the student to not enter into repayment status for Federal Direct Loans on a timely basis.
Questioned Costs:
None.
Recommendation:
We recommend the University adhere to its current policies and procedures to ensure that all status changes are reported to NSLDS timely and that all student statuses match between the University records, Campus-Level Records and Program-Level Records.
Views of Responsible Officials:
Management agrees with the finding.
For the student whose withdrawn status was reported late, the notification of withdrawn was provided to the Registrar timely, however the update in NSLDS was not recorded appropriately until several months later. The School finally updated the Clearinghouse information and at that time the correct information was transmitted to NSLDS via the Clearinghouse. The Rutgers Health and University Registrar will continue to provide training and support to University constituents through regular reporting and monthly check-in meetings to reiterate the importance of timely submissions..
For the two students who did not have a consistently reported withdrawn date between the University record, Campus-Level Record and Program-Level Record, the issue was due to a reporting error. There was a subtle difference/issue with the coding of the Clearinghouse file process that created the infrequent anomaly. In both instances, the Campus-Level effective date was the correct date. The Rutgers Health and University Registrar will continue work with the central Office of Information Technology, University Enrollment Services and Ellucian teams to refine the enrollment reporting process and will provide training to all involved to ensure ccurate reporting.
2024-002 Special Tests (Enrollment Reporting)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
Federal Grant Numbers: E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024)
Statistically Valid Sample: No, and it was not intended to be
Prior Year Finding: No
Finding Type: Significant Deficiency and Noncompliance
Criteria:
Under the Pell grant and the Direct and Federal Family Education Loan programs, institutions are required to report enrollment information via the National Student Loan Data System (NSLDS) (OMB No. 1845 0035). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update and certify student enrollment statuses, program information and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information.
There are two categories of enrollment information; “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk:
• OPEID number, enrollment effective date, enrollment status and certification date
Institutions are responsible for accurately reporting all Program Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk:
• OPEID number, CIP code, CIP year, credential level, published program length measurement, published program length, program begin date, program enrollment status and program enrollment effective date
Institutions are responsible for timely reporting, whether they report directly or via a third party servicer. Institutions must complete and return within 15 days the Enrollment Reporting roster file placed in their Student Aid Internet Gateway (SAIG) (OMB No. 1845 0002) mailboxes sent by ED via NSLDS. An institution determines how often it receives the Enrollment Reporting roster file with the default set at a minimum of every 60 days. Once received, the institution must update for changes in the data elements for the Campus Record and the Program Record identified above, and submit the changes electronically through the batch method, spreadsheet submittal, or the NSLDS website (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309: Perkins 34 CFR 674.19(f)).
Additionally, in accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
Condition and Context:
The University utilizes the National Student Clearinghouse (the Clearinghouse) as a service provider for transmissions of its enrollment reporting changes to the National Student Loan Data System (NSLDS). The University receives the Enrollment Reporting Roster and updates it for changes in student status. The file is sent to the Clearinghouse who transmits the updated information to NSLDS.
For one of sixty students selected for testwork, the University did not report the student’s status change of withdrawn to NSLDS within 60 days on the Campus Level Record. The student was reported 349 days late.
For two of sixty students selected for testwork, the withdrawn effective date for the students did not match between the University record, Campus-Level Record and Program-Level Record.
Cause:
For the student whose withdrawn status was reported late, the notification of withdrawn was provided to the Registrar timely, however the update in NSLDS was not recorded timely.
For the two students who did not have a consistently reported withdrawn dates between the University record, Campus-Level Record and Program-Level Record, the issue was due to a retroactive change to the status which was not reported timely.
Effect:
Student status changes not reported in a timely manner may cause the student to not enter into repayment status for Federal Direct Loans on a timely basis.
Questioned Costs:
None.
Recommendation:
We recommend the University adhere to its current policies and procedures to ensure that all status changes are reported to NSLDS timely and that all student statuses match between the University records, Campus-Level Records and Program-Level Records.
Views of Responsible Officials:
Management agrees with the finding.
For the student whose withdrawn status was reported late, the notification of withdrawn was provided to the Registrar timely, however the update in NSLDS was not recorded appropriately until several months later. The School finally updated the Clearinghouse information and at that time the correct information was transmitted to NSLDS via the Clearinghouse. The Rutgers Health and University Registrar will continue to provide training and support to University constituents through regular reporting and monthly check-in meetings to reiterate the importance of timely submissions..
For the two students who did not have a consistently reported withdrawn date between the University record, Campus-Level Record and Program-Level Record, the issue was due to a reporting error. There was a subtle difference/issue with the coding of the Clearinghouse file process that created the infrequent anomaly. In both instances, the Campus-Level effective date was the correct date. The Rutgers Health and University Registrar will continue work with the central Office of Information Technology, University Enrollment Services and Ellucian teams to refine the enrollment reporting process and will provide training to all involved to ensure ccurate reporting.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-001 Eligibility, Reporting (Financial) and Special Tests (Disbursements to or on Behalf of Students)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Supplemental Educational Opportunity Grants (ALN 84.007)
Federal Work Study Program (ALN 84.033)
Federal Perkins Loans (ALN 84.038)
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration
Nurse Faculty Loan Program (ALN 93.264)
Health Profession Student Loan Program (ALN 93.342)
Loans for Disadvantaged Students (ALN 93.342)
Nursing Student Loans (ALN 93.364)
Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925)
Federal Grant Numbers: E P007A132602 (7/1/2023 – 6/30/2024), E P033A132602 (7/1/2023 – 6/30/2024), E P038A132602 (7/1/2023 – 6/30/2024), E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024), E 01HP28821 02 02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2023 – 6/30/2024), 1T08HP393200100 (7/1/2023 – 6/30/2024), 5 T08HP39320 03 00 (7/1/2023 – 6/30/2024)
Statistically valid sample: No and it was not intended to be.
Repeat finding: Yes (2023-001)
Finding Type: Material weakness
Criteria:
In accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions:
• Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts.
• Disburses student financial assistance to students.
• Reports disbursement information to the Common Origination and Disbursement system.
The internal controls over these functions are considered automated controls for the applicable compliance requirements.
Condition and Context:
In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed.
Related to user access, 14 employees of a sample of 25 employees did not follow the appropriate process for new access or a modification of access to the system. Related to user deprovisioning, 24 of the 25 employees sampled did not have the proper documentation for termination of user access. In addition, a user access review was not completed timely.
Related to program changes, there were at least 45 individuals with elevated access to OSFP. The University should review these roles and determine if they are necessary, if all employees actually need that level of access and also separate the roles between those who can develop and deploy changes to ensure proper segregation of duties is maintained.
Cause:
The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system upon implementation. In fiscal year 2024, the University began to implement the standard policies and procedures, however they were not in effect for the entire fiscal year.
Effect:
As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls.
Questioned Costs:
No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to noncompliance.
Recommendation:
We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access and program changes. The University should create a provisioning and deprovisioning process and ensure that it is followed for all access changes to OSFP. The University should also create a user access review policy and ensure it is followed in a timely manner so that only appropriate users have access to the system
Views of Responsible Official:
Management agrees with the finding.
Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system are tracked in a project tracking software. There is a dedicated OSFP administrator, segregating duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which limits the permissions, with only 4 administrators with the advanced privileges. Finally, a preliminary recertification process occurred in October 2023 and October 2024 without formal procedures which remained in development. Formalized procedures, which includes annual training, will be finalized in fiscal year 2025.
2024-002 Special Tests (Enrollment Reporting)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
Federal Grant Numbers: E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024)
Statistically Valid Sample: No, and it was not intended to be
Prior Year Finding: No
Finding Type: Significant Deficiency and Noncompliance
Criteria:
Under the Pell grant and the Direct and Federal Family Education Loan programs, institutions are required to report enrollment information via the National Student Loan Data System (NSLDS) (OMB No. 1845 0035). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update and certify student enrollment statuses, program information and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information.
There are two categories of enrollment information; “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk:
• OPEID number, enrollment effective date, enrollment status and certification date
Institutions are responsible for accurately reporting all Program Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk:
• OPEID number, CIP code, CIP year, credential level, published program length measurement, published program length, program begin date, program enrollment status and program enrollment effective date
Institutions are responsible for timely reporting, whether they report directly or via a third party servicer. Institutions must complete and return within 15 days the Enrollment Reporting roster file placed in their Student Aid Internet Gateway (SAIG) (OMB No. 1845 0002) mailboxes sent by ED via NSLDS. An institution determines how often it receives the Enrollment Reporting roster file with the default set at a minimum of every 60 days. Once received, the institution must update for changes in the data elements for the Campus Record and the Program Record identified above, and submit the changes electronically through the batch method, spreadsheet submittal, or the NSLDS website (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309: Perkins 34 CFR 674.19(f)).
Additionally, in accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
Condition and Context:
The University utilizes the National Student Clearinghouse (the Clearinghouse) as a service provider for transmissions of its enrollment reporting changes to the National Student Loan Data System (NSLDS). The University receives the Enrollment Reporting Roster and updates it for changes in student status. The file is sent to the Clearinghouse who transmits the updated information to NSLDS.
For one of sixty students selected for testwork, the University did not report the student’s status change of withdrawn to NSLDS within 60 days on the Campus Level Record. The student was reported 349 days late.
For two of sixty students selected for testwork, the withdrawn effective date for the students did not match between the University record, Campus-Level Record and Program-Level Record.
Cause:
For the student whose withdrawn status was reported late, the notification of withdrawn was provided to the Registrar timely, however the update in NSLDS was not recorded timely.
For the two students who did not have a consistently reported withdrawn dates between the University record, Campus-Level Record and Program-Level Record, the issue was due to a retroactive change to the status which was not reported timely.
Effect:
Student status changes not reported in a timely manner may cause the student to not enter into repayment status for Federal Direct Loans on a timely basis.
Questioned Costs:
None.
Recommendation:
We recommend the University adhere to its current policies and procedures to ensure that all status changes are reported to NSLDS timely and that all student statuses match between the University records, Campus-Level Records and Program-Level Records.
Views of Responsible Officials:
Management agrees with the finding.
For the student whose withdrawn status was reported late, the notification of withdrawn was provided to the Registrar timely, however the update in NSLDS was not recorded appropriately until several months later. The School finally updated the Clearinghouse information and at that time the correct information was transmitted to NSLDS via the Clearinghouse. The Rutgers Health and University Registrar will continue to provide training and support to University constituents through regular reporting and monthly check-in meetings to reiterate the importance of timely submissions..
For the two students who did not have a consistently reported withdrawn date between the University record, Campus-Level Record and Program-Level Record, the issue was due to a reporting error. There was a subtle difference/issue with the coding of the Clearinghouse file process that created the infrequent anomaly. In both instances, the Campus-Level effective date was the correct date. The Rutgers Health and University Registrar will continue work with the central Office of Information Technology, University Enrollment Services and Ellucian teams to refine the enrollment reporting process and will provide training to all involved to ensure ccurate reporting.
2024-002 Special Tests (Enrollment Reporting)
Student Financial Assistance Cluster:
U.S. Department of Education
Federal Pell Grant Program (ALN 84.063)
Federal Direct Student Loans (ALN 84.268)
Federal Grant Numbers: E P063P130272 (7/1/2023 – 6/30/2024), P268K130272 (7/1/2023 – 6/30/2024)
Statistically Valid Sample: No, and it was not intended to be
Prior Year Finding: No
Finding Type: Significant Deficiency and Noncompliance
Criteria:
Under the Pell grant and the Direct and Federal Family Education Loan programs, institutions are required to report enrollment information via the National Student Loan Data System (NSLDS) (OMB No. 1845 0035). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update and certify student enrollment statuses, program information and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information.
There are two categories of enrollment information; “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk:
• OPEID number, enrollment effective date, enrollment status and certification date
Institutions are responsible for accurately reporting all Program Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk:
• OPEID number, CIP code, CIP year, credential level, published program length measurement, published program length, program begin date, program enrollment status and program enrollment effective date
Institutions are responsible for timely reporting, whether they report directly or via a third party servicer. Institutions must complete and return within 15 days the Enrollment Reporting roster file placed in their Student Aid Internet Gateway (SAIG) (OMB No. 1845 0002) mailboxes sent by ED via NSLDS. An institution determines how often it receives the Enrollment Reporting roster file with the default set at a minimum of every 60 days. Once received, the institution must update for changes in the data elements for the Campus Record and the Program Record identified above, and submit the changes electronically through the batch method, spreadsheet submittal, or the NSLDS website (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309: Perkins 34 CFR 674.19(f)).
Additionally, in accordance with federal requirements, the University shall maintain internal controls over federal programs designed to provide reasonable assurance that transactions are executed in compliance with federal statutes, regulations, and the terms and conditions of the federal award that could have a direct and material effect on a federal program.
Condition and Context:
The University utilizes the National Student Clearinghouse (the Clearinghouse) as a service provider for transmissions of its enrollment reporting changes to the National Student Loan Data System (NSLDS). The University receives the Enrollment Reporting Roster and updates it for changes in student status. The file is sent to the Clearinghouse who transmits the updated information to NSLDS.
For one of sixty students selected for testwork, the University did not report the student’s status change of withdrawn to NSLDS within 60 days on the Campus Level Record. The student was reported 349 days late.
For two of sixty students selected for testwork, the withdrawn effective date for the students did not match between the University record, Campus-Level Record and Program-Level Record.
Cause:
For the student whose withdrawn status was reported late, the notification of withdrawn was provided to the Registrar timely, however the update in NSLDS was not recorded timely.
For the two students who did not have a consistently reported withdrawn dates between the University record, Campus-Level Record and Program-Level Record, the issue was due to a retroactive change to the status which was not reported timely.
Effect:
Student status changes not reported in a timely manner may cause the student to not enter into repayment status for Federal Direct Loans on a timely basis.
Questioned Costs:
None.
Recommendation:
We recommend the University adhere to its current policies and procedures to ensure that all status changes are reported to NSLDS timely and that all student statuses match between the University records, Campus-Level Records and Program-Level Records.
Views of Responsible Officials:
Management agrees with the finding.
For the student whose withdrawn status was reported late, the notification of withdrawn was provided to the Registrar timely, however the update in NSLDS was not recorded appropriately until several months later. The School finally updated the Clearinghouse information and at that time the correct information was transmitted to NSLDS via the Clearinghouse. The Rutgers Health and University Registrar will continue to provide training and support to University constituents through regular reporting and monthly check-in meetings to reiterate the importance of timely submissions..
For the two students who did not have a consistently reported withdrawn date between the University record, Campus-Level Record and Program-Level Record, the issue was due to a reporting error. There was a subtle difference/issue with the coding of the Clearinghouse file process that created the infrequent anomaly. In both instances, the Campus-Level effective date was the correct date. The Rutgers Health and University Registrar will continue work with the central Office of Information Technology, University Enrollment Services and Ellucian teams to refine the enrollment reporting process and will provide training to all involved to ensure ccurate reporting.