FAC Explorer

Audit 349333

FY End
2024-06-30
Total Expended
$38.84M
Findings
26
Programs
28
Organization: Governors State University (IL)
Year: 2024 Accepted: 2025-03-27
Auditor: Adelfia LLC

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
538292 2024-002 Significant Deficiency Yes N
538293 2024-003 Significant Deficiency Yes N
538294 2024-003 Significant Deficiency Yes N
538295 2024-003 Significant Deficiency Yes N
538296 2024-003 Significant Deficiency Yes N
538297 2024-003 Significant Deficiency Yes N
538298 2024-003 Significant Deficiency Yes N
538299 2024-003 Significant Deficiency Yes N
538300 2024-003 Significant Deficiency Yes N
538301 2024-004 Significant Deficiency - N
538302 2024-005 - - C
538303 2024-006 - - N
538304 2024-007 - - AB
1114734 2024-002 Significant Deficiency Yes N
1114735 2024-003 Significant Deficiency Yes N
1114736 2024-003 Significant Deficiency Yes N
1114737 2024-003 Significant Deficiency Yes N
1114738 2024-003 Significant Deficiency Yes N
1114739 2024-003 Significant Deficiency Yes N
1114740 2024-003 Significant Deficiency Yes N
1114741 2024-003 Significant Deficiency Yes N
1114742 2024-003 Significant Deficiency Yes N
1114743 2024-004 Significant Deficiency - N
1114744 2024-005 - - C
1114745 2024-006 - - N
1114746 2024-007 - - AB

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $21.11M Yes 4
84.063 Federal Pell Grant Program $7.76M Yes 1
84.038 Federal Perkins Loan Program_federal Capital Contributions $1.94M Yes 2
93.575 Child Care and Development Block Grant $1.56M Yes 0
93.600 Head Start $1.31M Yes 0
84.425 Education Stabilization Fund $1.22M Yes 1
93.264 Nurse Faculty Loan Program (nflp) $621,137 Yes 1
93.925 Scholarships for Health Professions Students From Disadvantaged Backgrounds $576,000 Yes 1
84.033 Federal Work-Study Program $512,881 Yes 1
84.066 Trio Educational Opportunity Centers $333,612 - 0
93.732 Mental and Behavioral Health Education and Training Grants $229,538 - 0
84.007 Federal Supplemental Educational Opportunity Grants $227,850 Yes 1
47.084 Nsf Technology, Innovation, and Partnerships $147,416 - 0
11.020 Cluster Grants $126,295 - 0
84.335 Child Care Access Means Parents in School $121,747 - 0
93.368 21st Century Cures Act - Precision Medicine Initiative $116,001 - 0
10.558 Child and Adult Care Food Program $96,157 - 0
93.959 Block Grants for Prevention and Treatment of Substance Abuse $93,330 - 0
21.027 Coronavirus State and Local Fiscal Recovery Funds $92,141 - 0
93.859 Biomedical Research and Research Training $51,602 - 0
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $31,236 Yes 1
84.116 Fund for the Improvement of Postsecondary Education $24,725 - 0
20.205 Highway Planning and Construction $22,299 - 0
84.153 Business and International Education Projects $20,955 - 0
94.013 Americorps Volunteers in Service to America 94.013 $20,294 - 0
47.076 Stem Education (formerly Education and Human Resources) $18,962 - 0
84.220 Centers for International Business Education $13,215 - 0
84.016 Undergraduate International Studies and Foreign Language Programs $9,441 - 0

Contacts

Name Title Type
RZYSKTHWL384 Villalyn Baluga Auditee
7085344039 Stella Marie Santos Auditor
No contacts on file

Notes to SEFA

Title: NOTE 1 - BASIS OF PRESENTATION Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The auditee has elected not to use the de minimis cost rate. The accompanying Schedule of Expenditures of Federal Awards (Schedule) includes the federal grant activity of the State of Illinois, Governors State University (University) under programs of the federal government for the year ended June 30, 2024. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200 Uniform Administrative Requirements, Cost Principles and Audit Requirements for Federal Awards (Uniform Guidance). Because this schedule presents only a selected portion of the operations of the University, it is not intended to and does not present the financial position, changes in net position, or cash flows of the University.
Title: NOTE 2 - SUMMARY OF SIGNIFICANT ACCOUNTING POLICIES Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The auditee has elected not to use the de minimis cost rate. Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. The University has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance.
Title: NOTE 3 - FEDERAL STUDENT LOAN PROGRAMS Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The auditee has elected not to use the de minimis cost rate. The federal student loan programs listed subsequently are administered directly by the University and balances and transactions relating to these programs are included in the University’s basic financial statements. Expenditures reported on the Schedule include loans outstanding at the beginning of the year, loans made during the year, any administrative cost allowance claimed, cash balance of the fund as of the end of the year, and cancellations receivable at the end of the year. The balance of loans outstanding at June 30, 2024 consists of: Assistance Listing Number: 84.038 Program Name: Federal Perkins Loan Program Outstanding Balance at June 30, 2024: $258,261 Assistance Listing Number: 93.264 Program Name: Nurse Faculty Loan Program Outstanding Balance at June 30, 2024: $232,811
Title: NOTE 4 - SUBRECIPIENTS Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The auditee has elected not to use the de minimis cost rate. During the year ended June 30, 2024, the University passed through federal assistance to subrecipients in an amount of $142,425.
Title: NOTE 5 - NON-CASH ASSISTANCE Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The auditee has elected not to use the de minimis cost rate. The University did not receive any federal non-cash assistance during the year ended June 30, 2024.
Title: NOTE 6 - INSURANCE Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The auditee has elected not to use the de minimis cost rate. The University did not have federally funded insurance in effect during the year ended June 30, 2024.

Finding Details

Finding 2024-002
2024-002. FINDING (Enrollment Reporting) Federal Department: U.S. Department of Education Assistance Listing Number: 84.268 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans Award Numbers: P268K240567, P268K230567 Questioned Cost: None Program Expenditures: $21,113,430 Cluster Expenditures: $32,781,904 Governors State University (University) did not timely and accurately report student enrollment information to the U.S. Department of Education’s National Student Loan Data System (NSLDS). CONDITION During testing of 40 enrollment status changes, we noted the following: • Seven of 40 (18%) enrollment status changes were not reported timely to the NSLDS. These enrollment status changes were reported 1 to 228 days late after the date of occurrence. In addition, 2 of the 7 enrollment status changes pertain to students with direct loans who ceased to be enrolled on at least a half-time basis for the period for which the loan was intended. • Ten of 40 (25%) enrollment status changes data had discrepancies in Program Begin Date ranging from 1,254 days early to 2 days late when compared to their official program start dates. The sample was not intended to be, and was not, a statistically valid sample. CRITERIA The Code of Federal Regulations (34 CFR 685.309) requires the University, upon the receipt of an enrollment report from the Secretary of the Department of Education (ED), to update all information included in the report and return the report to the ED within the timeframe prescribed by the ED. It further requires the University to report enrollment changes within 30 days unless a roster file is expected within 60 days, in which case the enrollment data may be updated on that roster file changes. This report should include changes such as when a Direct Loan was made to or on behalf of a student who was enrolled or accepted for enrollment at the University, and the student has ceased to be enrolled on at least a half-time basis or failed to enroll on at least a half-time basis for the period for which the loan was intended. The NSLDS Enrollment Reporting Guide states the University is responsible for accurately reporting all Program-Level Record and Campus-Level Record data elements. The Program Begin Date is the date the student first began attending the program being reported. Typically, this would be the first day of the term in which the student began enrollment in the program, unless the student enrolled in the program on an earlier date. The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal statutes, regulations, and terms and conditions of the federal award. Effective internal controls should include procedures to ensure accurate and timely student enrollment status reports are submitted to NSLDS. CAUSE University officials stated the delay in reporting status changes was attributable to challenges within the reporting protocols to the NSLDS for various status change scenarios occurring after the term end date and delays in the internal reporting process. The University reports enrollment status changes to NSLDS through the National Student Clearinghouse (NSC), a third-party servicer. As part of the enrollment reporting process, system-generated files are uploaded to the NSC, which then provides the data to NSLDS. Upon review of the system-generated files, there are various dates contained within the files, which may have caused inaccurate Program Begin Dates reflected in the NSLDS’ Program-Level Record. EFFECT Accurate, timely, and complete enrollment information is critical for effective and proper administration of the student financial aid programs. Noncompliance with enrollment reporting regulations may result in a loss of future federal funding. (Finding Code No. 2024-002, 2023-002, 2022-002, 2021-003) RECOMMENDATION We recommend the University improve its procedures to ensure timely and accurate reporting of student enrollment status to the NSLDS both in Program-Level Record and Campus-Level Record. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. Following consultation with the NSC, guidelines were provided for handling various status change scenarios. These guidelines will enhance the accuracy of enrollment status change reporting, particularly for students with changes occurring before or after the subsequent enrollment file submission. Status changes are now being reported to the NSLDS in a timely and accurate manner, in accordance with the NSC guidelines. The University has also implemented a reporting timeline and review protocols to ensure status changes are reported to the NSLDS in a timely manner. Additionally, the University will collaborate with its Information Technology Services and representatives from the NSC and NSLDS to verify the accuracy of the file layouts and the data flow of the information provided.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-004
2024-004. FINDING (Noncompliance with Notification Requirements on Direct PLUS Loans Disbursements) Federal Department: U.S. Department of Education Assistance Listing Number: 84.268 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans Award Numbers: P268K240567, P268K230567 Questioned Cost: None Program Expenditures: $21,113,430 Cluster Expenditures: $32,781,904 Governors State University (University) did not comply with the notification requirements on Direct PLUS Loans disbursements. CONDITION During testing of 25 Direct Loans disbursements, we noted 2 (8%) students with Direct PLUS loans, where the parents were not properly notified. Notifications were made only to students. CRITERIA The Code of Federal Regulations (34 CFR 668.165) requires the University when Direct Loans are being credited to a student’s account to notify the student, or parent, in writing of (1) the date and amount of the disbursement; (2) the student’s right, or parent’s right, to cancel all or a portion of that loan or loan disbursement and have the loan proceeds returned to Department of Education; and (3) the procedure and time by which the student or parent must notify the institution that he or she wishes to cancel the loan (a minimum of 14 or 30 days depending on confirmation process). Further, the Federal Student Aid (FSA) handbook clarified that general notification must be provided to the parent Direct PLUS borrower and all students receiving FSA funds. CAUSE University officials stated they were aware of the notification requirements and believed the existing process was compliant with the requirements. EFFECT Proper notifications protect the borrower’s rights and give the parent borrower a chance to reconsider the loan, adjust disbursements or cancel within the specified timeframe. In addition, failure to implement notification requirements represents noncompliance with federal regulations. (Finding Code No. 2024-004) RECOMMENDATION We recommend the University improve its procedures to ensure proper notification is made to the parent Direct PLUS borrowers. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has implemented changes to procedures to send proper notification to the parent Direct PLUS borrowers.
Finding 2024-005
2024-005. FINDING (Failure to Retain Adequate Documentation of Internal Direct Loans Reconciliation) Federal Department: U.S. Department of Education Assistance Listing Number: 84.268 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans Award Numbers: P268K240567, P268K230567 Questioned Cost: None Program Expenditures: $21,113,430 Cluster Expenditures: $32,781,904 Governors State University (University) did not retain documentation of its internal monthly Direct Loans reconciliation to demonstrate timely completion. CONDITION During testing of Direct Loans, we were unable to verify whether the University completed the monthly internal reconciliation in a timely manner due to the absence of supporting documentation. CRITERIA The Federal Student Aid (FSA) issued Electronic Announcement General-22-86 covering reconciliation requirements for all Title IV programs between Department of Education’s G5 system records and the University’s internal records. It further requires the University to reconcile internally, disbursement data between Financial Services and Comptroller Office and Financial Aid Office. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University performs the monthly internal reconciliation process. However, the monthly internal reconciliation spreadsheet is updated each month without retaining the prior versions. EFFECT Failure to properly document internal monthly reconciliations between the Financial Services and Comptroller Office and Financial Aid Office may result in inaccurate and incomplete financial information. (Finding Code No. 2024-005) RECOMMENDATION We recommend the University improve its procedures to ensure documentation is retained to demonstrate timely completion of reconciliations. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. Existing procedures have been revised to require the retention of internal reconciliation records on a monthly basis.
Finding 2024-006
2024-006. FINDING (Noncompliance with Perkins Loans’ Retention of Records Requirements) Federal Department: U.S. Department of Education Assistance Listing Number: 84.038 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program Award Number: None Questioned Cost: None Program Expenditures: $1,938,618 Cluster Expenditures: $32,781,904 Governors State University (University) did not maintain a copy of the master promissory note (MPN) for a Perkins Loan program loan. CONDITION During testing of Perkins Loan receivables, we identified 1 of 12 (8%) students with a missing MPN. CRITERIA The Code of Federal Regulations (34 CFR 674.19(e)) requires the University to retain a record of disbursements for each loan made to a borrower on a promissory note. In addition, the University is required to keep the original MPN until the loans are satisfied. If required to release original documents in order to enforce the loan, the University must retain certified true copies of those documents. CAUSE University officials stated the University maintains copies of the MPNs; however, the one MPN pertained to a Perkins Loan disbursed over 18 years ago. Consequently, it may have been misplaced due to staffing changes over the years. EFFECT Failure to properly maintain loan documentation may result in inaccurate loan balances, potential disputes with borrowers, and noncompliance with federal regulations. (Finding Code No. 2024-006) RECOMMENDATION We recommend the University improve its procedures to ensure compliance with records retention requirements. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. Existing University procedures ensure MPNs and other Perkins-related documentation requirements are properly maintained. The University will continue its ongoing process of reviewing Perkins documentation to comply with the requirements.
Finding 2024-007
2024-007. FINDING (Noncompliance with Activities Allowed or Unallowed and Allowable Costs and Cost Principles Requirements) Federal Department: U.S. Department of Education Assistance Listing Number: 84.425D Cluster Name: Education Stabilization Fund Program Name: Elementary and Secondary School Emergency Relief Fund Award Number: S425D210041 Questioned Cost: None Program Expenditures: $1,222,010 Cluster Expenditures: $1,466,030 Governors State University (University) did not comply with activities allowed or unallowed and allowable costs and cost principles requirements. CONDITION During our review of the Illinois Tutoring Initiative program under the Elementary and Secondary School Emergency Relief (ESSER) Fund which had total expenditures of $1,222,010, we identified 1 of 25 (4%) expenditures was inappropriately charged to the grant. The University inadvertently charged Central Management Services (CMS) insurance of $414 for an employee who did not work on the program. The sample was not intended to be, and was not, a statistically valid sample. CRITERIA The Code of Federal Regulations (2 CFR 200.431(c)) requires the University to allocate fringe benefits to federal awards and all other activities in a manner consistent with the pattern of benefits attributable to the individuals or group(s) of employees whose salaries and wages are chargeable to such federal awards and other activities, and charged as direct or indirect costs following the University's accounting practices. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the charge was meant for a different federal grant, but was inadvertently assigned to the ESSER grant due to a formula error in the supporting spreadsheet. EFFECT Failure to accurately charge the correct grant may result in disallowance of federal expenditures and questioned costs, and could jeopardize future federal funding. (Finding Code No. 2024-007) RECOMMENDATION We recommend the University improve its procedures to ensure fringe benefits allocated to the grant align consistently with the salaries and wages charged to the grant. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. More stringent review procedures have been implemented to prevent the recurrence of this issue.
Finding 2024-002
2024-002. FINDING (Enrollment Reporting) Federal Department: U.S. Department of Education Assistance Listing Number: 84.268 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans Award Numbers: P268K240567, P268K230567 Questioned Cost: None Program Expenditures: $21,113,430 Cluster Expenditures: $32,781,904 Governors State University (University) did not timely and accurately report student enrollment information to the U.S. Department of Education’s National Student Loan Data System (NSLDS). CONDITION During testing of 40 enrollment status changes, we noted the following: • Seven of 40 (18%) enrollment status changes were not reported timely to the NSLDS. These enrollment status changes were reported 1 to 228 days late after the date of occurrence. In addition, 2 of the 7 enrollment status changes pertain to students with direct loans who ceased to be enrolled on at least a half-time basis for the period for which the loan was intended. • Ten of 40 (25%) enrollment status changes data had discrepancies in Program Begin Date ranging from 1,254 days early to 2 days late when compared to their official program start dates. The sample was not intended to be, and was not, a statistically valid sample. CRITERIA The Code of Federal Regulations (34 CFR 685.309) requires the University, upon the receipt of an enrollment report from the Secretary of the Department of Education (ED), to update all information included in the report and return the report to the ED within the timeframe prescribed by the ED. It further requires the University to report enrollment changes within 30 days unless a roster file is expected within 60 days, in which case the enrollment data may be updated on that roster file changes. This report should include changes such as when a Direct Loan was made to or on behalf of a student who was enrolled or accepted for enrollment at the University, and the student has ceased to be enrolled on at least a half-time basis or failed to enroll on at least a half-time basis for the period for which the loan was intended. The NSLDS Enrollment Reporting Guide states the University is responsible for accurately reporting all Program-Level Record and Campus-Level Record data elements. The Program Begin Date is the date the student first began attending the program being reported. Typically, this would be the first day of the term in which the student began enrollment in the program, unless the student enrolled in the program on an earlier date. The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal statutes, regulations, and terms and conditions of the federal award. Effective internal controls should include procedures to ensure accurate and timely student enrollment status reports are submitted to NSLDS. CAUSE University officials stated the delay in reporting status changes was attributable to challenges within the reporting protocols to the NSLDS for various status change scenarios occurring after the term end date and delays in the internal reporting process. The University reports enrollment status changes to NSLDS through the National Student Clearinghouse (NSC), a third-party servicer. As part of the enrollment reporting process, system-generated files are uploaded to the NSC, which then provides the data to NSLDS. Upon review of the system-generated files, there are various dates contained within the files, which may have caused inaccurate Program Begin Dates reflected in the NSLDS’ Program-Level Record. EFFECT Accurate, timely, and complete enrollment information is critical for effective and proper administration of the student financial aid programs. Noncompliance with enrollment reporting regulations may result in a loss of future federal funding. (Finding Code No. 2024-002, 2023-002, 2022-002, 2021-003) RECOMMENDATION We recommend the University improve its procedures to ensure timely and accurate reporting of student enrollment status to the NSLDS both in Program-Level Record and Campus-Level Record. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. Following consultation with the NSC, guidelines were provided for handling various status change scenarios. These guidelines will enhance the accuracy of enrollment status change reporting, particularly for students with changes occurring before or after the subsequent enrollment file submission. Status changes are now being reported to the NSLDS in a timely and accurate manner, in accordance with the NSC guidelines. The University has also implemented a reporting timeline and review protocols to ensure status changes are reported to the NSLDS in a timely manner. Additionally, the University will collaborate with its Information Technology Services and representatives from the NSC and NSLDS to verify the accuracy of the file layouts and the data flow of the information provided.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-003
2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137 Cluster Expenditures: $32,781,904 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. CONDITION During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. CRITERIA On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion. EFFECT The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.
Finding 2024-004
2024-004. FINDING (Noncompliance with Notification Requirements on Direct PLUS Loans Disbursements) Federal Department: U.S. Department of Education Assistance Listing Number: 84.268 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans Award Numbers: P268K240567, P268K230567 Questioned Cost: None Program Expenditures: $21,113,430 Cluster Expenditures: $32,781,904 Governors State University (University) did not comply with the notification requirements on Direct PLUS Loans disbursements. CONDITION During testing of 25 Direct Loans disbursements, we noted 2 (8%) students with Direct PLUS loans, where the parents were not properly notified. Notifications were made only to students. CRITERIA The Code of Federal Regulations (34 CFR 668.165) requires the University when Direct Loans are being credited to a student’s account to notify the student, or parent, in writing of (1) the date and amount of the disbursement; (2) the student’s right, or parent’s right, to cancel all or a portion of that loan or loan disbursement and have the loan proceeds returned to Department of Education; and (3) the procedure and time by which the student or parent must notify the institution that he or she wishes to cancel the loan (a minimum of 14 or 30 days depending on confirmation process). Further, the Federal Student Aid (FSA) handbook clarified that general notification must be provided to the parent Direct PLUS borrower and all students receiving FSA funds. CAUSE University officials stated they were aware of the notification requirements and believed the existing process was compliant with the requirements. EFFECT Proper notifications protect the borrower’s rights and give the parent borrower a chance to reconsider the loan, adjust disbursements or cancel within the specified timeframe. In addition, failure to implement notification requirements represents noncompliance with federal regulations. (Finding Code No. 2024-004) RECOMMENDATION We recommend the University improve its procedures to ensure proper notification is made to the parent Direct PLUS borrowers. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has implemented changes to procedures to send proper notification to the parent Direct PLUS borrowers.
Finding 2024-005
2024-005. FINDING (Failure to Retain Adequate Documentation of Internal Direct Loans Reconciliation) Federal Department: U.S. Department of Education Assistance Listing Number: 84.268 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans Award Numbers: P268K240567, P268K230567 Questioned Cost: None Program Expenditures: $21,113,430 Cluster Expenditures: $32,781,904 Governors State University (University) did not retain documentation of its internal monthly Direct Loans reconciliation to demonstrate timely completion. CONDITION During testing of Direct Loans, we were unable to verify whether the University completed the monthly internal reconciliation in a timely manner due to the absence of supporting documentation. CRITERIA The Federal Student Aid (FSA) issued Electronic Announcement General-22-86 covering reconciliation requirements for all Title IV programs between Department of Education’s G5 system records and the University’s internal records. It further requires the University to reconcile internally, disbursement data between Financial Services and Comptroller Office and Financial Aid Office. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the University performs the monthly internal reconciliation process. However, the monthly internal reconciliation spreadsheet is updated each month without retaining the prior versions. EFFECT Failure to properly document internal monthly reconciliations between the Financial Services and Comptroller Office and Financial Aid Office may result in inaccurate and incomplete financial information. (Finding Code No. 2024-005) RECOMMENDATION We recommend the University improve its procedures to ensure documentation is retained to demonstrate timely completion of reconciliations. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. Existing procedures have been revised to require the retention of internal reconciliation records on a monthly basis.
Finding 2024-006
2024-006. FINDING (Noncompliance with Perkins Loans’ Retention of Records Requirements) Federal Department: U.S. Department of Education Assistance Listing Number: 84.038 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program Award Number: None Questioned Cost: None Program Expenditures: $1,938,618 Cluster Expenditures: $32,781,904 Governors State University (University) did not maintain a copy of the master promissory note (MPN) for a Perkins Loan program loan. CONDITION During testing of Perkins Loan receivables, we identified 1 of 12 (8%) students with a missing MPN. CRITERIA The Code of Federal Regulations (34 CFR 674.19(e)) requires the University to retain a record of disbursements for each loan made to a borrower on a promissory note. In addition, the University is required to keep the original MPN until the loans are satisfied. If required to release original documents in order to enforce the loan, the University must retain certified true copies of those documents. CAUSE University officials stated the University maintains copies of the MPNs; however, the one MPN pertained to a Perkins Loan disbursed over 18 years ago. Consequently, it may have been misplaced due to staffing changes over the years. EFFECT Failure to properly maintain loan documentation may result in inaccurate loan balances, potential disputes with borrowers, and noncompliance with federal regulations. (Finding Code No. 2024-006) RECOMMENDATION We recommend the University improve its procedures to ensure compliance with records retention requirements. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. Existing University procedures ensure MPNs and other Perkins-related documentation requirements are properly maintained. The University will continue its ongoing process of reviewing Perkins documentation to comply with the requirements.
Finding 2024-007
2024-007. FINDING (Noncompliance with Activities Allowed or Unallowed and Allowable Costs and Cost Principles Requirements) Federal Department: U.S. Department of Education Assistance Listing Number: 84.425D Cluster Name: Education Stabilization Fund Program Name: Elementary and Secondary School Emergency Relief Fund Award Number: S425D210041 Questioned Cost: None Program Expenditures: $1,222,010 Cluster Expenditures: $1,466,030 Governors State University (University) did not comply with activities allowed or unallowed and allowable costs and cost principles requirements. CONDITION During our review of the Illinois Tutoring Initiative program under the Elementary and Secondary School Emergency Relief (ESSER) Fund which had total expenditures of $1,222,010, we identified 1 of 25 (4%) expenditures was inappropriately charged to the grant. The University inadvertently charged Central Management Services (CMS) insurance of $414 for an employee who did not work on the program. The sample was not intended to be, and was not, a statistically valid sample. CRITERIA The Code of Federal Regulations (2 CFR 200.431(c)) requires the University to allocate fringe benefits to federal awards and all other activities in a manner consistent with the pattern of benefits attributable to the individuals or group(s) of employees whose salaries and wages are chargeable to such federal awards and other activities, and charged as direct or indirect costs following the University's accounting practices. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. CAUSE University officials stated the charge was meant for a different federal grant, but was inadvertently assigned to the ESSER grant due to a formula error in the supporting spreadsheet. EFFECT Failure to accurately charge the correct grant may result in disallowance of federal expenditures and questioned costs, and could jeopardize future federal funding. (Finding Code No. 2024-007) RECOMMENDATION We recommend the University improve its procedures to ensure fringe benefits allocated to the grant align consistently with the salaries and wages charged to the grant. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. More stringent review procedures have been implemented to prevent the recurrence of this issue.