FAC Explorer

Audit 351195

FY End
2024-06-30
Total Expended
$59.86M
Findings
10
Programs
9
Organization: Tusculum University (TN)
Year: 2024 Accepted: 2025-03-31
Auditor: Blackburn Childers & Steagall Plc

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
544687 2024-002 Significant Deficiency - N
544688 2024-003 Significant Deficiency - N
544689 2024-005 Significant Deficiency Yes N
544690 2024-004 Significant Deficiency Yes N
544691 2024-001 Significant Deficiency - N
1121129 2024-002 Significant Deficiency - N
1121130 2024-003 Significant Deficiency - N
1121131 2024-005 Significant Deficiency Yes N
1121132 2024-004 Significant Deficiency Yes N
1121133 2024-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
10.766 Community Facilities Loans and Grants $47.40M Yes 0
84.268 Federal Direct Student Loans $7.27M Yes 1
84.063 Federal Pell Grant Program $2.56M Yes 1
84.047 Trio Upward Bound $1.12M - 0
84.044 Trio Talent Search $705,849 - 0
84.042 Trio Student Support Services $600,232 - 0
84.007 Federal Supplemental Educational Opportunity Grants $100,690 Yes 0
84.033 Federal Work-Study Program $97,310 Yes 2
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $6,565 Yes 1

Contacts

Name Title Type
WLC1GBMGN9N7 Benita Bare Auditee
4236367215 Chad Kisner Auditor
No contacts on file

Notes to SEFA

Title: Note A: Basis of Presentation Accounting Policies: Expenditures reported on the SEFA are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10 percent de minimis indirect cost rate allowed under the Uniform Guidance. The accompanying SEFA includes the federal award activity of the University under programs of the federal government for the year ended June 30, 2024. The information in this SEFA is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the SEFA presents only a selected portion of the operations of the University, it is not intended to, and does not present, the financial position, changes in net assets or cash flows of the University.
Title: Note C: U.S. Department of Agriculture Community Facilities Loans Accounting Policies: Expenditures reported on the SEFA are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10 percent de minimis indirect cost rate allowed under the Uniform Guidance. The federal financial assistance from the U.S. Department of Agriculture (USDA), Community Facilities Loans program, is in the form of interest-bearing loans to be repaid in accordance with the terms of the agreements. Because of the continuing compliance requirements, the total outstanding loan balances at the beginning of the fiscal year plus any new loans are reported on the schedule. The USDA committed up to $49,799,190 toward the funding of the approved projects. In FY2022, USDA re-amortized the loan to increase the principal amount by the amount of interest that was deferred due to the coronavirus pandemic. After the deferral, the new outstanding principal balance for fiscal year 2022 was $47,553,064.

Finding Details

Finding 2024-002
2024-002 Significant Deficiency: Federal Work-Study (FWS) Underpayment (U.S. Department of Education, Federal Work-Study Program, ALN #84.033) Criteria: In accordance with 34 CFR 675.24, an institution shall compute FWS compensation on an hourly wage basis for actual time on the job. An institution may not pay a student a salary, commission, or fee. The minimum wage rate for a student employee under the FWS program is the minimum wage rate required under section 6(a) of the Fair Labor Standards Act of 1938. The Fair Labor Standards Act of 1938, as amended, prohibits employers (including schools) from accepting voluntary services from any paid employee. Any student employed under FWS must be paid for all hours worked. Statement of Condition: During the 2024 audit, it was noted that the University did not fully compensate students for hours worked. Questioned Costs: This finding is monetary in nature. In the instances noted in testing, the total error is $47 in under-award. Extrapolation of this monetary error estimates a total potential error of $1,717. This does not exceed the $25,000 reporting threshold for monetary error within Federal Award Programs. Perspective Information: The audit included a detailed testing of 5 files for undergraduate students who had received Federal Work-Study funds for hours worked, of which this error applies to 2, indicating an error rate of 40.0%. This does exceed the reporting threshold of 10% for Federal Award Programs. Cause and Effect: This issue is the result of oversight during payroll processing. Errantly miscalculating hours worked and wages payable results in students receiving fewer Title IV funds than what they may have earned or be eligible for. Recommendation: The University should institute checks within their payroll process specific to ensuring appropriate amounts are paid to recipients of Federal Work-Study funds. View of Responsible Officials: The University acknowledges this finding. Upon discovery of this error, the students were paid the hours that had been missed. To ensure this error does not occur again in the future, financial aid has created a secondary check system that includes keeping an additional excel that confirms that each timesheet has been paid for each student and that their full hours worked have been paid. We have also reinforced with supervisors the urgency of making sure that timesheets are submitted in a timely manner so that this error does not occur again. Additional training for supervisors will also occur.
Finding 2024-003
2024-003 Significant Deficiency: Federal Work-Study (FWS) (U.S. Department of Education, Federal Work-Study Program, ALN #84.033) Criteria: Per the Federal Student Aid Handbook, in general, students are not permitted to work in FWS positions during scheduled class times. Exceptions are permitted if an individual class is cancelled, if the instructor has excused the student from attending for a particular day, and if the student is receiving credit for employment in an internship, externship, or community work-study experience. Any such exemptions must be documented. Statement of Condition: During the 2024 audit, students were identified to have received Federal Work-Study funds for hours submitted that coincided with scheduled class time without an acceptable exception. Questioned Costs: This finding is monetary in nature. In the instances noted in testing, the total error is $30 in over-award. Extrapolation of this monetary error estimates a total potential error of $1,096. This does not exceed the $25,000 reporting threshold for monetary error within Federal Award Programs. Perspective Information: The audit included a detailed testing of 5 files for undergraduate students who had received Federal Work-Study funds for hours worked, of which this error applies to 2, indicating an error rate of 40.00%. This does exceed the reporting threshold of 10% for Federal Award Programs. Cause and Effect: This issue is the result of oversight during payroll processing. By failing to compare hours submitted as worked hours to student class schedules, students have been over-paid Federal Work-Study funds. Recommendation: The University should incorporate a step into the payroll process for students that would compare submitted hours to the students’ class schedules. View of Responsible Officials: The University acknowledges this finding. In order to ensure that this does not occur again, all supervisors have been reminded of the requirement that students do not work during seat time. Regular reminders to supervisors go out about Federal Work Study Guidelines. In addition, as each timesheet is submitted, financial aid shall check to ensure no violations have occurred. Additional training for supervisors will also occur.
Finding 2024-005
2024-005 Significant Deficiency: National Student Loan Data System (NSLDS) Report (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268 and Federal Pell Grant Program, ALN #84.063) (Repeat finding of 2022-001 and 2023-003) Criteria: In accordance with 34 CFR 685.309(b) and 34 CFR section 690.83(b)(2), for Direct Loans and Pell grants, respectively, once the Enrollment Reporting roster file is received from the NSLDS, the institution must update the Enrollment Reporting roster file for changes in student status, report the date the enrollment status was effective, enter the new anticipated completion date, and submit the changes to NSLDS. Statement of Condition: During the audit, it was noted that the University incorrectly reported student enrollment status for changes in enrollment. Questioned Costs: Such information is not applicable for this finding since it is nonmonetary in nature. Perspective Information: The audit included a detailed testing of 40 student files, of which this significant deficiency applies to 18, indicating an error rate of 45.00%. Cause and Effect: Due to lapses in communication between departments, in certain instances, the University failed to provide NSLDS with accurate updates to student enrollment statuses, resulting in misrepresentation within the NSLDS system. Recommendation: The University should ensure that the correct enrollment status is reported to NSLDS. View of Responsible Officials: The University acknowledges this finding. While the university did implement changes from the prior year, including randomly sampling students, after this finding and looking into the issue that was occurring, we found three more issues with our clearinghouse data. The first issue was our graduation file that was sent to clearinghouse was not being processed and being rejected. We were unaware of the rejection of the records. We are currently still working with clearinghouse to find what is causing the graduation file to reject and are working on getting that corrected. The second issue was that some student files were individually being rejected and thus not processing fully through. To correct this issue, we are watching the rejected clearinghouse files for individual students and are manually reporting their statuses if we cannot get the file to accept. The final and third issue was that students who were unofficially or administratively withdrawn were pulling the wrong date and thus the status was showing the wrong dates for the occurrence. To fix this, financial aid and the registrar are working in tandem to ensure that the correct date that the actual unofficial withdrawal or administrative withdrawal is correct. If necessary, we will manually certify these students as well.
Finding 2024-004
2024-004 Significant Deficiency: Gramm-Leach-Bliley Act (GLBA) (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) (Repeat Finding: 2023-002) Criteria: In accordance with 16 CFR 314.4, a University shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue and must contain all of the elements that are further described in 16 CFR 314.4. Statement of Condition: During the audit, it was noted that the University’s Gramm-Leach-Bliley Act Policy did not fully address all of the requirements as described by 16 CFR 314.4. In addition, the application of the comprehensive information security program was not effectively administered by the University during the 2024 year. A new policy was put into place during June 2024. The seven required elements for the GLBA policy are as follows, along with the status within each of the University’s policies in place during the year: 1. The policy designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. This attribute was not addressed in the existing policy; the newly implemented policy does sufficiently address this requirement. The director of information systems, Casey Reagan, has been identified as the responsible party. 2. The policy provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. This attribute was not addressed in the existing policy; the newly implemented policy does sufficiently address this requirement. The University contracted with a third-party cybersecurity firm to address this requirement in the updated policy. 3. The policy provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), which are detailed as follows: 3.1. Implement and periodically review access controls. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 3.2. Conduct a periodic inventory of data, noting where it is collected, stored or transmitted. Both the existing policy and the newly implemented policy are silent on this requirement. 3.3. Encrypt customer information on the institution’s system and when it is in transit. Both the existing policy and the newly implemented policy are silent on this requirement. 3.4. Assess applications developed by the institution. Both the existing policy and the newly implemented policy are silent on this requirement. 3.5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. Both the existing policy and the newly implemented policy are silent on this requirement. 3.6. Dispose of customer information securely. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 3.7. Anticipate and evaluate changes to the information system or network. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 3.8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 4. The policy provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. This attribute was not addressed in the existing policy; the newly implemented policy does sufficiently address this requirement. The University contracted with a third-party cybersecurity firm to address this requirement in the updated policy. 5. The policy provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 6. The policy addresses how the institution will oversee its information system service providers. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 7. The policy provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. Questioned Costs: Such information is not applicable for this finding since it is nonmonetary in nature. Perspective Information: The 2024 audit included testing of the University’s Gramm-Leach-Bliley Act Policy as outlined in Part 5 of the Compliance Supplement including the application of this program for the year. Cause and Effect: During the current year, the responsible parties began putting procedures into place and drafted an updated policy to ensure deficiencies in the information security policy are addressed. As this process requires the coordination of multiple individuals, software systems, and approvals, the updates were unable to be completed by June 30, 2024. Recommendation: The University should continue to update their Gramm-Leach-Bliley Act Policy to be in accordance with the requirements and put in place effective controls and practices to ensure the policy is monitored in a way to ensure it is administered effectively and timely. View of Responsible Officials: The University acknowledges this finding. The University was in the process of updating this policy in 2023-24 to be in compliant and has finished updating the policy. The FSA Cyber Compliance Team reached out to Tusculum due to this finding for the 2022-23 audit period and Tusculum provided the Corrective Action Plan and new policy. On August 1st, 2024, Tusculum received word that the CAP acceptably addressed the GLBA finding. For the issues that are above that list that our policy is silent on the issue, the University will further detail our policy on the measures enacted.
Finding 2024-001
2024-001 Significant Deficiency: TEACH Grant Sequester Miscalculation (U.S. Department of Education, Teacher Education Assistance for College and Higher Education Grants, ALN #84.379) Criteria: In accordance with the Electric Announcement General 23-37 and the Budget Control Act of 2011, the statutory award amount for all TEACH Grant awards where the first disbursement is on or after Oct. 1, 2020, and before Oct. 1, 2024, must be reduced by 5.70%. Statement of Condition: During the 2024 audit, it was noted that the University miscalculated the sequester for a student, resulting in an under-award. Questioned Costs: This finding is monetary in nature. In the instance noted in testing, the total error is $36 in under-award. Extrapolation of this monetary error estimates a total potential error of $63. This does not exceed the $25,000 reporting threshold for monetary error within Federal Award Programs. Perspective Information: The audit included a detailed testing of 1 file for students who had received TEACH, so the identification of this error in the student’s file review results in an error rate of 100%. This does exceed the reporting threshold of 10% for Federal Award Programs. Cause and Effect: Due to oversight by the financial aid counselor awarding a student’s TEACH grant, a student received fewer TEACH grant dollars than those for which they were eligible. Recommendation: The University should ensure that sequester fees are appropriately calculated and that amounts disbursed to students are in line with the regulations. The director of financial aid should provide a review check on such calculations. View of Responsible Officials: The University acknowledges this finding. The error occurred when entering the TEACH Grant into Colleague. Instead of awarding $1886 for both fall and spring, the last two digits were transposed and thus $1868 was entered for fall and spring creating the $36 under-award for the year. Financial Aid has instituted a new practice that all TEACH Grant awards are double checked when awarded and before the start of each term to make sure that the correct amount was awarded and that an entry error does not occur again.
Finding 2024-002
2024-002 Significant Deficiency: Federal Work-Study (FWS) Underpayment (U.S. Department of Education, Federal Work-Study Program, ALN #84.033) Criteria: In accordance with 34 CFR 675.24, an institution shall compute FWS compensation on an hourly wage basis for actual time on the job. An institution may not pay a student a salary, commission, or fee. The minimum wage rate for a student employee under the FWS program is the minimum wage rate required under section 6(a) of the Fair Labor Standards Act of 1938. The Fair Labor Standards Act of 1938, as amended, prohibits employers (including schools) from accepting voluntary services from any paid employee. Any student employed under FWS must be paid for all hours worked. Statement of Condition: During the 2024 audit, it was noted that the University did not fully compensate students for hours worked. Questioned Costs: This finding is monetary in nature. In the instances noted in testing, the total error is $47 in under-award. Extrapolation of this monetary error estimates a total potential error of $1,717. This does not exceed the $25,000 reporting threshold for monetary error within Federal Award Programs. Perspective Information: The audit included a detailed testing of 5 files for undergraduate students who had received Federal Work-Study funds for hours worked, of which this error applies to 2, indicating an error rate of 40.0%. This does exceed the reporting threshold of 10% for Federal Award Programs. Cause and Effect: This issue is the result of oversight during payroll processing. Errantly miscalculating hours worked and wages payable results in students receiving fewer Title IV funds than what they may have earned or be eligible for. Recommendation: The University should institute checks within their payroll process specific to ensuring appropriate amounts are paid to recipients of Federal Work-Study funds. View of Responsible Officials: The University acknowledges this finding. Upon discovery of this error, the students were paid the hours that had been missed. To ensure this error does not occur again in the future, financial aid has created a secondary check system that includes keeping an additional excel that confirms that each timesheet has been paid for each student and that their full hours worked have been paid. We have also reinforced with supervisors the urgency of making sure that timesheets are submitted in a timely manner so that this error does not occur again. Additional training for supervisors will also occur.
Finding 2024-003
2024-003 Significant Deficiency: Federal Work-Study (FWS) (U.S. Department of Education, Federal Work-Study Program, ALN #84.033) Criteria: Per the Federal Student Aid Handbook, in general, students are not permitted to work in FWS positions during scheduled class times. Exceptions are permitted if an individual class is cancelled, if the instructor has excused the student from attending for a particular day, and if the student is receiving credit for employment in an internship, externship, or community work-study experience. Any such exemptions must be documented. Statement of Condition: During the 2024 audit, students were identified to have received Federal Work-Study funds for hours submitted that coincided with scheduled class time without an acceptable exception. Questioned Costs: This finding is monetary in nature. In the instances noted in testing, the total error is $30 in over-award. Extrapolation of this monetary error estimates a total potential error of $1,096. This does not exceed the $25,000 reporting threshold for monetary error within Federal Award Programs. Perspective Information: The audit included a detailed testing of 5 files for undergraduate students who had received Federal Work-Study funds for hours worked, of which this error applies to 2, indicating an error rate of 40.00%. This does exceed the reporting threshold of 10% for Federal Award Programs. Cause and Effect: This issue is the result of oversight during payroll processing. By failing to compare hours submitted as worked hours to student class schedules, students have been over-paid Federal Work-Study funds. Recommendation: The University should incorporate a step into the payroll process for students that would compare submitted hours to the students’ class schedules. View of Responsible Officials: The University acknowledges this finding. In order to ensure that this does not occur again, all supervisors have been reminded of the requirement that students do not work during seat time. Regular reminders to supervisors go out about Federal Work Study Guidelines. In addition, as each timesheet is submitted, financial aid shall check to ensure no violations have occurred. Additional training for supervisors will also occur.
Finding 2024-005
2024-005 Significant Deficiency: National Student Loan Data System (NSLDS) Report (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268 and Federal Pell Grant Program, ALN #84.063) (Repeat finding of 2022-001 and 2023-003) Criteria: In accordance with 34 CFR 685.309(b) and 34 CFR section 690.83(b)(2), for Direct Loans and Pell grants, respectively, once the Enrollment Reporting roster file is received from the NSLDS, the institution must update the Enrollment Reporting roster file for changes in student status, report the date the enrollment status was effective, enter the new anticipated completion date, and submit the changes to NSLDS. Statement of Condition: During the audit, it was noted that the University incorrectly reported student enrollment status for changes in enrollment. Questioned Costs: Such information is not applicable for this finding since it is nonmonetary in nature. Perspective Information: The audit included a detailed testing of 40 student files, of which this significant deficiency applies to 18, indicating an error rate of 45.00%. Cause and Effect: Due to lapses in communication between departments, in certain instances, the University failed to provide NSLDS with accurate updates to student enrollment statuses, resulting in misrepresentation within the NSLDS system. Recommendation: The University should ensure that the correct enrollment status is reported to NSLDS. View of Responsible Officials: The University acknowledges this finding. While the university did implement changes from the prior year, including randomly sampling students, after this finding and looking into the issue that was occurring, we found three more issues with our clearinghouse data. The first issue was our graduation file that was sent to clearinghouse was not being processed and being rejected. We were unaware of the rejection of the records. We are currently still working with clearinghouse to find what is causing the graduation file to reject and are working on getting that corrected. The second issue was that some student files were individually being rejected and thus not processing fully through. To correct this issue, we are watching the rejected clearinghouse files for individual students and are manually reporting their statuses if we cannot get the file to accept. The final and third issue was that students who were unofficially or administratively withdrawn were pulling the wrong date and thus the status was showing the wrong dates for the occurrence. To fix this, financial aid and the registrar are working in tandem to ensure that the correct date that the actual unofficial withdrawal or administrative withdrawal is correct. If necessary, we will manually certify these students as well.
Finding 2024-004
2024-004 Significant Deficiency: Gramm-Leach-Bliley Act (GLBA) (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) (Repeat Finding: 2023-002) Criteria: In accordance with 16 CFR 314.4, a University shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue and must contain all of the elements that are further described in 16 CFR 314.4. Statement of Condition: During the audit, it was noted that the University’s Gramm-Leach-Bliley Act Policy did not fully address all of the requirements as described by 16 CFR 314.4. In addition, the application of the comprehensive information security program was not effectively administered by the University during the 2024 year. A new policy was put into place during June 2024. The seven required elements for the GLBA policy are as follows, along with the status within each of the University’s policies in place during the year: 1. The policy designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. This attribute was not addressed in the existing policy; the newly implemented policy does sufficiently address this requirement. The director of information systems, Casey Reagan, has been identified as the responsible party. 2. The policy provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. This attribute was not addressed in the existing policy; the newly implemented policy does sufficiently address this requirement. The University contracted with a third-party cybersecurity firm to address this requirement in the updated policy. 3. The policy provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), which are detailed as follows: 3.1. Implement and periodically review access controls. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 3.2. Conduct a periodic inventory of data, noting where it is collected, stored or transmitted. Both the existing policy and the newly implemented policy are silent on this requirement. 3.3. Encrypt customer information on the institution’s system and when it is in transit. Both the existing policy and the newly implemented policy are silent on this requirement. 3.4. Assess applications developed by the institution. Both the existing policy and the newly implemented policy are silent on this requirement. 3.5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. Both the existing policy and the newly implemented policy are silent on this requirement. 3.6. Dispose of customer information securely. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 3.7. Anticipate and evaluate changes to the information system or network. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 3.8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 4. The policy provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. This attribute was not addressed in the existing policy; the newly implemented policy does sufficiently address this requirement. The University contracted with a third-party cybersecurity firm to address this requirement in the updated policy. 5. The policy provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 6. The policy addresses how the institution will oversee its information system service providers. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 7. The policy provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. Questioned Costs: Such information is not applicable for this finding since it is nonmonetary in nature. Perspective Information: The 2024 audit included testing of the University’s Gramm-Leach-Bliley Act Policy as outlined in Part 5 of the Compliance Supplement including the application of this program for the year. Cause and Effect: During the current year, the responsible parties began putting procedures into place and drafted an updated policy to ensure deficiencies in the information security policy are addressed. As this process requires the coordination of multiple individuals, software systems, and approvals, the updates were unable to be completed by June 30, 2024. Recommendation: The University should continue to update their Gramm-Leach-Bliley Act Policy to be in accordance with the requirements and put in place effective controls and practices to ensure the policy is monitored in a way to ensure it is administered effectively and timely. View of Responsible Officials: The University acknowledges this finding. The University was in the process of updating this policy in 2023-24 to be in compliant and has finished updating the policy. The FSA Cyber Compliance Team reached out to Tusculum due to this finding for the 2022-23 audit period and Tusculum provided the Corrective Action Plan and new policy. On August 1st, 2024, Tusculum received word that the CAP acceptably addressed the GLBA finding. For the issues that are above that list that our policy is silent on the issue, the University will further detail our policy on the measures enacted.
Finding 2024-001
2024-001 Significant Deficiency: TEACH Grant Sequester Miscalculation (U.S. Department of Education, Teacher Education Assistance for College and Higher Education Grants, ALN #84.379) Criteria: In accordance with the Electric Announcement General 23-37 and the Budget Control Act of 2011, the statutory award amount for all TEACH Grant awards where the first disbursement is on or after Oct. 1, 2020, and before Oct. 1, 2024, must be reduced by 5.70%. Statement of Condition: During the 2024 audit, it was noted that the University miscalculated the sequester for a student, resulting in an under-award. Questioned Costs: This finding is monetary in nature. In the instance noted in testing, the total error is $36 in under-award. Extrapolation of this monetary error estimates a total potential error of $63. This does not exceed the $25,000 reporting threshold for monetary error within Federal Award Programs. Perspective Information: The audit included a detailed testing of 1 file for students who had received TEACH, so the identification of this error in the student’s file review results in an error rate of 100%. This does exceed the reporting threshold of 10% for Federal Award Programs. Cause and Effect: Due to oversight by the financial aid counselor awarding a student’s TEACH grant, a student received fewer TEACH grant dollars than those for which they were eligible. Recommendation: The University should ensure that sequester fees are appropriately calculated and that amounts disbursed to students are in line with the regulations. The director of financial aid should provide a review check on such calculations. View of Responsible Officials: The University acknowledges this finding. The error occurred when entering the TEACH Grant into Colleague. Instead of awarding $1886 for both fall and spring, the last two digits were transposed and thus $1868 was entered for fall and spring creating the $36 under-award for the year. Financial Aid has instituted a new practice that all TEACH Grant awards are double checked when awarded and before the start of each term to make sure that the correct amount was awarded and that an entry error does not occur again.