FAC Explorer

Audit 351630

FY End
2024-06-30
Total Expended
$6.59M
Findings
16
Programs
7
Organization: Universidad Central De Bayamon INC (PR)
Year: 2024 Accepted: 2025-03-31
Auditor: Galindez LLC

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
547380 2024-001 - - N
547381 2024-002 - Yes N
547382 2024-003 Significant Deficiency - N
547383 2024-003 Significant Deficiency - N
547384 2024-003 Significant Deficiency - N
547385 2024-003 Significant Deficiency - N
547386 2024-002 - Yes N
547387 2024-003 Significant Deficiency - N
1123822 2024-001 - - N
1123823 2024-002 - Yes N
1123824 2024-003 Significant Deficiency - N
1123825 2024-003 Significant Deficiency - N
1123826 2024-003 Significant Deficiency - N
1123827 2024-003 Significant Deficiency - N
1123828 2024-002 - Yes N
1123829 2024-003 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.063 Federal Pell Grant Program $3.33M Yes 3
84.268 Federal Direct Student Loans $1.16M Yes 2
97.036 Disaster Grants - Public Assistance (presidentially Declared Disasters) $902,738 Yes 0
84.031 Higher Education Institutional Aid $624,008 - 0
84.033 Federal Work-Study Program $355,819 Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $212,479 Yes 1
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $8,488 Yes 1

Contacts

Name Title Type
JFA4KNMF5AM3 Ismael Velez Auditee
7877863030 Taireli Hidalgo Auditor
No contacts on file

Notes to SEFA

Title: Basis of Presentation Accounting Policies: a. The Schedule is prepared from the University’s accounting records and is not intended to present its financial position or the results of its operations. b. Expenditures are recognized following the cost principle contained in the Uniform Guidance, wherein certain types of expenditures may or may not be available or may be limited as to reimbursement. c. The financial transactions are recorded by the University in accordance with the terms and conditions of the grants, which are consistent with accounting principles generally accepted in the United States of America. d. Expenditures are recognized in the accounting period in which the liability is incurred, if measurable or when actually paid, whichever occurs first. e. The University has elected not to use the 10-percent de minims indirect cost rate as allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate. The accompanying supplementary Schedule of Expenditures of Federal Awards (the Schedule) includes the federal grant activity of Universidad Central de Bayamon, Inc. (the University) and is presented on the accrual basis of accounting. The information in the Schedule is prepared in accordance with the requirements of Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (the Uniform Guidance). Therefore, some amounts presented in the Schedule may differ from amounts presented in or used in the preparation of the financial statements of the University. Because the Schedule presents only a selected portion of the operations of the University, it is not intended to, and does not, present the financial position, changes in net assets, and cash flows of the University. Funds received for Student Financial Assistance Program (principally Pell Grant) that are awarded to students are excluded from revenue and expenses in the financial statements of the University. These grants are applied to the students’ tuition and fees, and any excess is paid to the students.
Title: Assistance Listing Number Accounting Policies: a. The Schedule is prepared from the University’s accounting records and is not intended to present its financial position or the results of its operations. b. Expenditures are recognized following the cost principle contained in the Uniform Guidance, wherein certain types of expenditures may or may not be available or may be limited as to reimbursement. c. The financial transactions are recorded by the University in accordance with the terms and conditions of the grants, which are consistent with accounting principles generally accepted in the United States of America. d. Expenditures are recognized in the accounting period in which the liability is incurred, if measurable or when actually paid, whichever occurs first. e. The University has elected not to use the 10-percent de minims indirect cost rate as allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate. The assistance listing numbers included in the Schedule are determined based in the program name, review of grant contract information and OMB's Assistance Listing Number (ALN).
Title: Major Federal Programs Accounting Policies: a. The Schedule is prepared from the University’s accounting records and is not intended to present its financial position or the results of its operations. b. Expenditures are recognized following the cost principle contained in the Uniform Guidance, wherein certain types of expenditures may or may not be available or may be limited as to reimbursement. c. The financial transactions are recorded by the University in accordance with the terms and conditions of the grants, which are consistent with accounting principles generally accepted in the United States of America. d. Expenditures are recognized in the accounting period in which the liability is incurred, if measurable or when actually paid, whichever occurs first. e. The University has elected not to use the 10-percent de minims indirect cost rate as allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate. Major federal programs are identified in the Summary of Auditors’ Results Section in the Schedule of Findings and Questioned Costs. Federal programs are presented by federal agency.
Title: Accounting Policies for Loans and Loan Guarantees Accounting Policies: a. The Schedule is prepared from the University’s accounting records and is not intended to present its financial position or the results of its operations. b. Expenditures are recognized following the cost principle contained in the Uniform Guidance, wherein certain types of expenditures may or may not be available or may be limited as to reimbursement. c. The financial transactions are recorded by the University in accordance with the terms and conditions of the grants, which are consistent with accounting principles generally accepted in the United States of America. d. Expenditures are recognized in the accounting period in which the liability is incurred, if measurable or when actually paid, whichever occurs first. e. The University has elected not to use the 10-percent de minims indirect cost rate as allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate. The University participates in the Federal Direct Student Loans (Direct Loans) Program (ALN 84.268) of the U.S. Department of Education (USDE) since July 1, 2010. Loans made through the Direct Loans program include subsidized and unsubsidized Federal Stafford Loans and Federal PLUS loans. Although the University is not the recipient of the funds, such program is considered a component of the student financial assistance program at the University. Under the Direct Loans program, the University is responsible only for certain administrative duties, accordingly, the disbursements under the program and the outstanding loan balances are excluded from the financial statements of the University. New loans processed for students during the year ended June 30, 2024, were $1,158,379.
Title: Endowment Grant Programs Accounting Policies: a. The Schedule is prepared from the University’s accounting records and is not intended to present its financial position or the results of its operations. b. Expenditures are recognized following the cost principle contained in the Uniform Guidance, wherein certain types of expenditures may or may not be available or may be limited as to reimbursement. c. The financial transactions are recorded by the University in accordance with the terms and conditions of the grants, which are consistent with accounting principles generally accepted in the United States of America. d. Expenditures are recognized in the accounting period in which the liability is incurred, if measurable or when actually paid, whichever occurs first. e. The University has elected not to use the 10-percent de minims indirect cost rate as allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate. The University received in prior years grants from the Higher Education Institutional Aid – Strengthening Institutions Program, the Title III Hispanic-Serving Institutions (HIS) STEM and Articulations Programs, and the Title V Developing Hispanic- Serving Institutions (HIS), respectively. Such amounts constituted the Endowment Fund Campus. The grants require 100% matching contributions from the institutional fund and the income earned on the amount. The University must invest and shall not expend the Endowment Fund Corpus for a period of twenty (20) years. Afterwards, the Endowment Fund Corpus can be used for any educational purpose. During the grant period, the University may not use more than fifty percent (50%) of the aggregate income earned. Therefore, the endowment fund includes both donor-restricted funds and unrestricted funds designated by the Board of Trustees. (Table) At the time these grants expire, the outstanding balances of these endowment funds are no longer temporarily restricted and become part of the University’s unrestricted net assets. Balance on the remaining funds, including accrued interest and dividends since inception, amounted to $1,537,642 at June 30, 2024. Net gain for the year ended June 30, 2024 amounted to $93,658, which represents 100% of investment gain generated by the above-mentioned grants. Investment income (loss), as defined above, includes interest, dividends and realized and unrealized gains/losses in investment securities, net of investment expenses.

Finding Details

Finding 2024-001
Finding No. 2024–001 – Special Tests and Provisions – Return of Title IV Funds - Timing of Return of Title IV Funds. Federal Program Name Student Financial Assistance Programs Cluster – Federal Pell Grant Program (PELL) Assistance Listing 84.063 Name of Federal Agency U.S. Department of Education (USDE) Category Internal Control/Compliance Compliance Requirement Special Tests and Provisions Criteria 34 CFR Section 668.173 (b) states that an institution returns unearned Title IV, HEA program funds timely if; (1) the institution deposits or transfers the funds into the bank account it maintains under §668.163 no later than forty-five (45) days after the date it determines that the student withdrew; (2) the institution initiates an electronic fund transfer (EFT) no later than forty-five (45) days after the date it determines that the student withdrew; (3) the institution initiates an electronic transaction, no later than forty five (45) days after the date it determines that the student withdrew, that informs a FFEL lender to adjust the borrower's loan account for the amount returned; or (4) the institution issues a check no later than forty-five (45) days after the date it determines that the student withdrew. Condition In testing compliance with the Return of Title IV funds requirements, we noted one (1) instance, which based on the regulation previously indicated, the return of Title IV funds as calculated by the Institution was performed after the required 45 days. (Table) Cause In November 2023, the University reported that the information technology systems had been the target of an external cyber-attack, which caused various disruptions in the operations. The delay in returning the funds within the time prescribed by the regulations was due to the disruptions caused by such event. Effect As a result of this instance of noncompliance, the USDE may issue warnings and/or impose penalties on the University. Also, the delay in the returning of Title IV funds could limit the students’ future eligibility to Title IV funds. Context Of the sixty-four (64) cases of withdrawal, we examined twenty-five (25) and determined that one (1) case that the Return of Title IV was returned late.Following is a description of the sample that included the finding identified and the population from which the sample was drawn for students that received Pell funds: (Table) Following is a description of the sample that included the finding identified and the population from which the sample was drawn for students that received Direct Loans: (Table) Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost None Recommendation The University should reinforce its internal control and procedures to ensure the return of Title IV funds in the required time frame. Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding 2024-002
Finding No. 2024–002 – Special Tests and Provisions – Enrollment Reporting Federal Program Name Student Financial Assistance Programs Cluster – Federal Pell Grant Program (PELL) Assistance Listing 84.063 Federal Direct Student Loan Program (DL) Assistance Listing 84.268 Name of Federal Agency U.S. Department of Education (USDE) Category Internal Control/Compliance Compliance Requirement Special Tests and ProvisionsCriteria 34 CFR 685.309 (b)(2)(ii) states that unless it expects to submit its next updated enrollment report to the Secretary within the next 60 days, a school must notify the Secretary within 30 days after the date the school discovers that; a loan under title IV of the Act was made to or on behalf of a student who was enrolled or accepted for enrollment at the school, and the student has ceased to be enrolled on at least a half-time basis or failed to enroll on at least a half-time basis for the period for which the loan was intended; or a student who is enrolled at the school and who received a loan under title IV of the Act has changed his or her permanent address. The National Student Loan Data System (NSLDS) is the U.S. Department of Education’s central database for federal student aid disbursed under Title IV of the Higher Education Act of 1965 (HEA), as amended. Among other things, NSLDS monitors the programs of attendance and the enrollment status of Title IV aid recipients. The institution determines how often it receives the Enrollment Reporting roster file with the default set at a minimum of every 60 days. Once received, the institution must update for changes in student status, report the date the enrollment status was effective, enter the new anticipated completion date, and submit the changes electronically through the batch method or the NSLDS website, as stated in 34 CFR 690.83 (b) (2) for Federal Pell Grant Program and 34 CFR section 685.309 for Federal Direct Student Loan Program. A student’s enrollment status determines eligibility for in-school status, deferment, and grace periods, as well as for the payment of interest subsidies to FFEL Program loan holders by USDE. Enrollment Reporting in a timely and accurate manner is critical for effective management of the programs. Enrollment information must be reported within 30 days whenever attendance changes for students, unless a roster will be submitted within 60 days. These changes include reductions or increases in attendance levels, withdrawals, graduations, or approved leaves-of- absence. Condition In testing compliance with the enrollment reporting requirements, from twenty-five (25) cases of students examined, we found that in one (1) instance, the University did not report to the National Student Loan Data System (NSLDS) the change in status of the student within the required 60 days period. Cause Despite having sent the file on time, the Registrar’s Office did not verify that it was transmitted correctly. Subsequently, while reviewing the file, it was identified that the system did not recognized the status change of “official withdrawal” instead, the status was changed to “Three- Quarter”. The file was submitted again with the correction, untimely, therefore, the University did not comply with the enrollment reporting requirements. Effect As a result of this condition, the USDE was prevented the use of accurate reporting data, which is critical for the effective administration of the Direct Loan Program and for USDE budgetary policy analysis. Identification of a Repeat Finding This is a repeat finding from the immediate previous audit. Finding 2023-002. Questioned Cost None Context Of the one hundred and ninety-eight (198) status changes for 2024, we selected twenty-five (25) students for testing and noted one (1) instance in which the University did not comply with the enrollment reporting requirements. Recommendation Management should reinforce its monitoring of the services provided by the National Student Clearinghouse to ensure they comply with the agreed upon reporting timeframe. The University should enhance both electronic and manual procedures to ensure enrollment status changes are timely and accurately reported to NSDLS. Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding 2024-003
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding 2024-003
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding 2024-003
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding 2024-003
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding 2024-002
Finding No. 2024–002 – Special Tests and Provisions – Enrollment Reporting Federal Program Name Student Financial Assistance Programs Cluster – Federal Pell Grant Program (PELL) Assistance Listing 84.063 Federal Direct Student Loan Program (DL) Assistance Listing 84.268 Name of Federal Agency U.S. Department of Education (USDE) Category Internal Control/Compliance Compliance Requirement Special Tests and ProvisionsCriteria 34 CFR 685.309 (b)(2)(ii) states that unless it expects to submit its next updated enrollment report to the Secretary within the next 60 days, a school must notify the Secretary within 30 days after the date the school discovers that; a loan under title IV of the Act was made to or on behalf of a student who was enrolled or accepted for enrollment at the school, and the student has ceased to be enrolled on at least a half-time basis or failed to enroll on at least a half-time basis for the period for which the loan was intended; or a student who is enrolled at the school and who received a loan under title IV of the Act has changed his or her permanent address. The National Student Loan Data System (NSLDS) is the U.S. Department of Education’s central database for federal student aid disbursed under Title IV of the Higher Education Act of 1965 (HEA), as amended. Among other things, NSLDS monitors the programs of attendance and the enrollment status of Title IV aid recipients. The institution determines how often it receives the Enrollment Reporting roster file with the default set at a minimum of every 60 days. Once received, the institution must update for changes in student status, report the date the enrollment status was effective, enter the new anticipated completion date, and submit the changes electronically through the batch method or the NSLDS website, as stated in 34 CFR 690.83 (b) (2) for Federal Pell Grant Program and 34 CFR section 685.309 for Federal Direct Student Loan Program. A student’s enrollment status determines eligibility for in-school status, deferment, and grace periods, as well as for the payment of interest subsidies to FFEL Program loan holders by USDE. Enrollment Reporting in a timely and accurate manner is critical for effective management of the programs. Enrollment information must be reported within 30 days whenever attendance changes for students, unless a roster will be submitted within 60 days. These changes include reductions or increases in attendance levels, withdrawals, graduations, or approved leaves-of- absence. Condition In testing compliance with the enrollment reporting requirements, from twenty-five (25) cases of students examined, we found that in one (1) instance, the University did not report to the National Student Loan Data System (NSLDS) the change in status of the student within the required 60 days period. Cause Despite having sent the file on time, the Registrar’s Office did not verify that it was transmitted correctly. Subsequently, while reviewing the file, it was identified that the system did not recognized the status change of “official withdrawal” instead, the status was changed to “Three- Quarter”. The file was submitted again with the correction, untimely, therefore, the University did not comply with the enrollment reporting requirements. Effect As a result of this condition, the USDE was prevented the use of accurate reporting data, which is critical for the effective administration of the Direct Loan Program and for USDE budgetary policy analysis. Identification of a Repeat Finding This is a repeat finding from the immediate previous audit. Finding 2023-002. Questioned Cost None Context Of the one hundred and ninety-eight (198) status changes for 2024, we selected twenty-five (25) students for testing and noted one (1) instance in which the University did not comply with the enrollment reporting requirements. Recommendation Management should reinforce its monitoring of the services provided by the National Student Clearinghouse to ensure they comply with the agreed upon reporting timeframe. The University should enhance both electronic and manual procedures to ensure enrollment status changes are timely and accurately reported to NSDLS. Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding 2024-003
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding 2024-001
Finding No. 2024–001 – Special Tests and Provisions – Return of Title IV Funds - Timing of Return of Title IV Funds. Federal Program Name Student Financial Assistance Programs Cluster – Federal Pell Grant Program (PELL) Assistance Listing 84.063 Name of Federal Agency U.S. Department of Education (USDE) Category Internal Control/Compliance Compliance Requirement Special Tests and Provisions Criteria 34 CFR Section 668.173 (b) states that an institution returns unearned Title IV, HEA program funds timely if; (1) the institution deposits or transfers the funds into the bank account it maintains under §668.163 no later than forty-five (45) days after the date it determines that the student withdrew; (2) the institution initiates an electronic fund transfer (EFT) no later than forty-five (45) days after the date it determines that the student withdrew; (3) the institution initiates an electronic transaction, no later than forty five (45) days after the date it determines that the student withdrew, that informs a FFEL lender to adjust the borrower's loan account for the amount returned; or (4) the institution issues a check no later than forty-five (45) days after the date it determines that the student withdrew. Condition In testing compliance with the Return of Title IV funds requirements, we noted one (1) instance, which based on the regulation previously indicated, the return of Title IV funds as calculated by the Institution was performed after the required 45 days. (Table) Cause In November 2023, the University reported that the information technology systems had been the target of an external cyber-attack, which caused various disruptions in the operations. The delay in returning the funds within the time prescribed by the regulations was due to the disruptions caused by such event. Effect As a result of this instance of noncompliance, the USDE may issue warnings and/or impose penalties on the University. Also, the delay in the returning of Title IV funds could limit the students’ future eligibility to Title IV funds. Context Of the sixty-four (64) cases of withdrawal, we examined twenty-five (25) and determined that one (1) case that the Return of Title IV was returned late.Following is a description of the sample that included the finding identified and the population from which the sample was drawn for students that received Pell funds: (Table) Following is a description of the sample that included the finding identified and the population from which the sample was drawn for students that received Direct Loans: (Table) Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost None Recommendation The University should reinforce its internal control and procedures to ensure the return of Title IV funds in the required time frame. Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding 2024-002
Finding No. 2024–002 – Special Tests and Provisions – Enrollment Reporting Federal Program Name Student Financial Assistance Programs Cluster – Federal Pell Grant Program (PELL) Assistance Listing 84.063 Federal Direct Student Loan Program (DL) Assistance Listing 84.268 Name of Federal Agency U.S. Department of Education (USDE) Category Internal Control/Compliance Compliance Requirement Special Tests and ProvisionsCriteria 34 CFR 685.309 (b)(2)(ii) states that unless it expects to submit its next updated enrollment report to the Secretary within the next 60 days, a school must notify the Secretary within 30 days after the date the school discovers that; a loan under title IV of the Act was made to or on behalf of a student who was enrolled or accepted for enrollment at the school, and the student has ceased to be enrolled on at least a half-time basis or failed to enroll on at least a half-time basis for the period for which the loan was intended; or a student who is enrolled at the school and who received a loan under title IV of the Act has changed his or her permanent address. The National Student Loan Data System (NSLDS) is the U.S. Department of Education’s central database for federal student aid disbursed under Title IV of the Higher Education Act of 1965 (HEA), as amended. Among other things, NSLDS monitors the programs of attendance and the enrollment status of Title IV aid recipients. The institution determines how often it receives the Enrollment Reporting roster file with the default set at a minimum of every 60 days. Once received, the institution must update for changes in student status, report the date the enrollment status was effective, enter the new anticipated completion date, and submit the changes electronically through the batch method or the NSLDS website, as stated in 34 CFR 690.83 (b) (2) for Federal Pell Grant Program and 34 CFR section 685.309 for Federal Direct Student Loan Program. A student’s enrollment status determines eligibility for in-school status, deferment, and grace periods, as well as for the payment of interest subsidies to FFEL Program loan holders by USDE. Enrollment Reporting in a timely and accurate manner is critical for effective management of the programs. Enrollment information must be reported within 30 days whenever attendance changes for students, unless a roster will be submitted within 60 days. These changes include reductions or increases in attendance levels, withdrawals, graduations, or approved leaves-of- absence. Condition In testing compliance with the enrollment reporting requirements, from twenty-five (25) cases of students examined, we found that in one (1) instance, the University did not report to the National Student Loan Data System (NSLDS) the change in status of the student within the required 60 days period. Cause Despite having sent the file on time, the Registrar’s Office did not verify that it was transmitted correctly. Subsequently, while reviewing the file, it was identified that the system did not recognized the status change of “official withdrawal” instead, the status was changed to “Three- Quarter”. The file was submitted again with the correction, untimely, therefore, the University did not comply with the enrollment reporting requirements. Effect As a result of this condition, the USDE was prevented the use of accurate reporting data, which is critical for the effective administration of the Direct Loan Program and for USDE budgetary policy analysis. Identification of a Repeat Finding This is a repeat finding from the immediate previous audit. Finding 2023-002. Questioned Cost None Context Of the one hundred and ninety-eight (198) status changes for 2024, we selected twenty-five (25) students for testing and noted one (1) instance in which the University did not comply with the enrollment reporting requirements. Recommendation Management should reinforce its monitoring of the services provided by the National Student Clearinghouse to ensure they comply with the agreed upon reporting timeframe. The University should enhance both electronic and manual procedures to ensure enrollment status changes are timely and accurately reported to NSDLS. Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding 2024-003
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding 2024-003
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding 2024-003
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding 2024-003
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding 2024-002
Finding No. 2024–002 – Special Tests and Provisions – Enrollment Reporting Federal Program Name Student Financial Assistance Programs Cluster – Federal Pell Grant Program (PELL) Assistance Listing 84.063 Federal Direct Student Loan Program (DL) Assistance Listing 84.268 Name of Federal Agency U.S. Department of Education (USDE) Category Internal Control/Compliance Compliance Requirement Special Tests and ProvisionsCriteria 34 CFR 685.309 (b)(2)(ii) states that unless it expects to submit its next updated enrollment report to the Secretary within the next 60 days, a school must notify the Secretary within 30 days after the date the school discovers that; a loan under title IV of the Act was made to or on behalf of a student who was enrolled or accepted for enrollment at the school, and the student has ceased to be enrolled on at least a half-time basis or failed to enroll on at least a half-time basis for the period for which the loan was intended; or a student who is enrolled at the school and who received a loan under title IV of the Act has changed his or her permanent address. The National Student Loan Data System (NSLDS) is the U.S. Department of Education’s central database for federal student aid disbursed under Title IV of the Higher Education Act of 1965 (HEA), as amended. Among other things, NSLDS monitors the programs of attendance and the enrollment status of Title IV aid recipients. The institution determines how often it receives the Enrollment Reporting roster file with the default set at a minimum of every 60 days. Once received, the institution must update for changes in student status, report the date the enrollment status was effective, enter the new anticipated completion date, and submit the changes electronically through the batch method or the NSLDS website, as stated in 34 CFR 690.83 (b) (2) for Federal Pell Grant Program and 34 CFR section 685.309 for Federal Direct Student Loan Program. A student’s enrollment status determines eligibility for in-school status, deferment, and grace periods, as well as for the payment of interest subsidies to FFEL Program loan holders by USDE. Enrollment Reporting in a timely and accurate manner is critical for effective management of the programs. Enrollment information must be reported within 30 days whenever attendance changes for students, unless a roster will be submitted within 60 days. These changes include reductions or increases in attendance levels, withdrawals, graduations, or approved leaves-of- absence. Condition In testing compliance with the enrollment reporting requirements, from twenty-five (25) cases of students examined, we found that in one (1) instance, the University did not report to the National Student Loan Data System (NSLDS) the change in status of the student within the required 60 days period. Cause Despite having sent the file on time, the Registrar’s Office did not verify that it was transmitted correctly. Subsequently, while reviewing the file, it was identified that the system did not recognized the status change of “official withdrawal” instead, the status was changed to “Three- Quarter”. The file was submitted again with the correction, untimely, therefore, the University did not comply with the enrollment reporting requirements. Effect As a result of this condition, the USDE was prevented the use of accurate reporting data, which is critical for the effective administration of the Direct Loan Program and for USDE budgetary policy analysis. Identification of a Repeat Finding This is a repeat finding from the immediate previous audit. Finding 2023-002. Questioned Cost None Context Of the one hundred and ninety-eight (198) status changes for 2024, we selected twenty-five (25) students for testing and noted one (1) instance in which the University did not comply with the enrollment reporting requirements. Recommendation Management should reinforce its monitoring of the services provided by the National Student Clearinghouse to ensure they comply with the agreed upon reporting timeframe. The University should enhance both electronic and manual procedures to ensure enrollment status changes are timely and accurately reported to NSDLS. Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding 2024-003
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.