FAC Explorer

Audit 353484

FY End
2024-06-30
Total Expended
$4.06M
Findings
4
Programs
6
Organization: Western Suffolk Boces (NY)
Year: 2024 Accepted: 2025-04-12
Auditor: Bonadio & CO LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
554905 2024-001 Significant Deficiency - N
554906 2024-001 Significant Deficiency - N
1131347 2024-001 Significant Deficiency - N
1131348 2024-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $1.19M Yes 1
84.063 Federal Pell Grant Program $674,536 Yes 1
84.002 Adult Education - Basic Grants to States $421,299 - 0
10.555 National School Lunch Program $310,544 - 0
10.553 School Breakfast Program $170,137 - 0
84.048 Career and Technical Education -- Basic Grants to States $122,762 - 0

Contacts

Name Title Type
FPRDRSDZLRF4 Warren Taylor Auditee
6375494900 Kylene Fitsik Auditor
No contacts on file

Notes to SEFA

Title: BASIS OF PRESENTATION Accounting Policies: Expenditures reported on the Schedule are presented in conformity with accounting principles generally accepted in the United States and the amounts presented are derived from the BOCES’ general ledger. De Minimis Rate Used: N Rate Explanation: The auditee did not elect to use the 10% de minimis cost rate. The accompanying schedule of expenditures of federal awards (Schedule) includes the federal grant activity of the Western Suffolk BOCES (BOCES), under programs of the federal government for the year ended June 30, 2024. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the BOCES, it is not intended to and does not present the financial position or the respective changes in financial position of the governmental activities, each major fund, and the aggregate remaining fund information of the BOCES.
Title: SUMMARY OF SIGNIFICANT ACCOUNTING POLICIES Accounting Policies: Expenditures reported on the Schedule are presented in conformity with accounting principles generally accepted in the United States and the amounts presented are derived from the BOCES’ general ledger. De Minimis Rate Used: N Rate Explanation: The auditee did not elect to use the 10% de minimis cost rate. Expenditures reported on the Schedule are presented in conformity with accounting principles generally accepted in the United States and the amounts presented are derived from the BOCES’ general ledger.
Title: PASS-THROUGH PROGRAMS Accounting Policies: Expenditures reported on the Schedule are presented in conformity with accounting principles generally accepted in the United States and the amounts presented are derived from the BOCES’ general ledger. De Minimis Rate Used: N Rate Explanation: The auditee did not elect to use the 10% de minimis cost rate. Where the BOCES receives funds from a government entity other than the federal government (pass-through), the funds are accumulated based upon the Assistance Listing number advised by the pass-through grantor. Identifying numbers, other than the Assistance Listing numbers, which may be assigned by pass-through grantors are not maintained in the BOCES’ financial management system. The BOCES has identified certain pass-through identifying numbers and included them in the schedule of expenditures of federal awards, as available.
Title: INDIRECT COSTS Accounting Policies: Expenditures reported on the Schedule are presented in conformity with accounting principles generally accepted in the United States and the amounts presented are derived from the BOCES’ general ledger. De Minimis Rate Used: N Rate Explanation: The auditee did not elect to use the 10% de minimis cost rate. Indirect costs are included in the reported expenditures to the extent they are included in the financial reports used as the source for the expenditures presented. The BOCES did not elect to use the 10 percent de-minimis indirect cost rate as allowed under the Uniform Guidance.
Title: MATCHING COSTS Accounting Policies: Expenditures reported on the Schedule are presented in conformity with accounting principles generally accepted in the United States and the amounts presented are derived from the BOCES’ general ledger. De Minimis Rate Used: N Rate Explanation: The auditee did not elect to use the 10% de minimis cost rate. Matching costs, i.e. the BOCES’ share of certain program costs, are not included in the reported expenditures.
Title: NON-MONETARY FEDERAL PROGRAM Accounting Policies: Expenditures reported on the Schedule are presented in conformity with accounting principles generally accepted in the United States and the amounts presented are derived from the BOCES’ general ledger. De Minimis Rate Used: N Rate Explanation: The auditee did not elect to use the 10% de minimis cost rate. The BOCES is the recipient of a federal financial award program that does not result in cash receipts or disbursements termed a non-monetary program. During the year ended June 30, 2024, the BOCES received food commodities, the fair value of which amounted to $32,303 and is presented in the Schedule as National School Lunch Program (Division of Donated Foods, Assistance Listing #10.555).

Finding Details

Finding 2024-001
Finding Reference: 2024-001 U.S. Department of Education Student Financial Assistance Cluster: Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the BOCES, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including: 􀀄 Employee training and management. 􀀄 Information systems, including network and software design, as well as information processing, storage, transmission, and disposal. 􀀄 Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following: 􀀄 A periodic inventory of data, noting where it is collected, stored, and transmitted was not performed. 􀀄 Vulnerability scanning and penetration testing is not completed annually. 􀀄 A written information security program is not fully in place. Policies surrounding risk management have not been implemented. 􀀄 Unsupported operating systems in use. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the BOCES related to compliance with GLBA. Auditor’s Recommendation: The BOCES should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The BOCES should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The BOCES is actively engaged in a formal Request for Proposals (RFP) process to procure a qualified vendor for the design and implementation of a comprehensive Information Security Program aligned with GLBA requirements. The selected vendor will conduct a full assessment of existing controls, help develop required policies and procedures, and assist in ensuring full compliance with GLBA mandates, including employee training, information systems safeguards, and incident response protocols. This process will be completed by December 2025. As part of the upcoming vendor engagement, a complete data inventory and structured risk assessment will be conducted. This will identify where sensitive data is collected, stored, transmitted, and processed, and will form the basis for implementing technical and administrative safeguards. This process will be completed by March 2026. In the past several years the BOCES has reviewed several student systems and was unable to identify a system that met all of their needs due to the differences between requirements applicable to school districts and those appropriate to the unique needs of a BOCES. The organization is on track to discontinue the use of all unsupported operating systems by June 30, 2026.
Finding 2024-001
Finding Reference: 2024-001 U.S. Department of Education Student Financial Assistance Cluster: Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the BOCES, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including: 􀀄 Employee training and management. 􀀄 Information systems, including network and software design, as well as information processing, storage, transmission, and disposal. 􀀄 Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following: 􀀄 A periodic inventory of data, noting where it is collected, stored, and transmitted was not performed. 􀀄 Vulnerability scanning and penetration testing is not completed annually. 􀀄 A written information security program is not fully in place. Policies surrounding risk management have not been implemented. 􀀄 Unsupported operating systems in use. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the BOCES related to compliance with GLBA. Auditor’s Recommendation: The BOCES should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The BOCES should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The BOCES is actively engaged in a formal Request for Proposals (RFP) process to procure a qualified vendor for the design and implementation of a comprehensive Information Security Program aligned with GLBA requirements. The selected vendor will conduct a full assessment of existing controls, help develop required policies and procedures, and assist in ensuring full compliance with GLBA mandates, including employee training, information systems safeguards, and incident response protocols. This process will be completed by December 2025. As part of the upcoming vendor engagement, a complete data inventory and structured risk assessment will be conducted. This will identify where sensitive data is collected, stored, transmitted, and processed, and will form the basis for implementing technical and administrative safeguards. This process will be completed by March 2026. In the past several years the BOCES has reviewed several student systems and was unable to identify a system that met all of their needs due to the differences between requirements applicable to school districts and those appropriate to the unique needs of a BOCES. The organization is on track to discontinue the use of all unsupported operating systems by June 30, 2026.
Finding 2024-001
Finding Reference: 2024-001 U.S. Department of Education Student Financial Assistance Cluster: Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the BOCES, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including: 􀀄 Employee training and management. 􀀄 Information systems, including network and software design, as well as information processing, storage, transmission, and disposal. 􀀄 Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following: 􀀄 A periodic inventory of data, noting where it is collected, stored, and transmitted was not performed. 􀀄 Vulnerability scanning and penetration testing is not completed annually. 􀀄 A written information security program is not fully in place. Policies surrounding risk management have not been implemented. 􀀄 Unsupported operating systems in use. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the BOCES related to compliance with GLBA. Auditor’s Recommendation: The BOCES should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The BOCES should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The BOCES is actively engaged in a formal Request for Proposals (RFP) process to procure a qualified vendor for the design and implementation of a comprehensive Information Security Program aligned with GLBA requirements. The selected vendor will conduct a full assessment of existing controls, help develop required policies and procedures, and assist in ensuring full compliance with GLBA mandates, including employee training, information systems safeguards, and incident response protocols. This process will be completed by December 2025. As part of the upcoming vendor engagement, a complete data inventory and structured risk assessment will be conducted. This will identify where sensitive data is collected, stored, transmitted, and processed, and will form the basis for implementing technical and administrative safeguards. This process will be completed by March 2026. In the past several years the BOCES has reviewed several student systems and was unable to identify a system that met all of their needs due to the differences between requirements applicable to school districts and those appropriate to the unique needs of a BOCES. The organization is on track to discontinue the use of all unsupported operating systems by June 30, 2026.
Finding 2024-001
Finding Reference: 2024-001 U.S. Department of Education Student Financial Assistance Cluster: Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the BOCES, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including: 􀀄 Employee training and management. 􀀄 Information systems, including network and software design, as well as information processing, storage, transmission, and disposal. 􀀄 Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following: 􀀄 A periodic inventory of data, noting where it is collected, stored, and transmitted was not performed. 􀀄 Vulnerability scanning and penetration testing is not completed annually. 􀀄 A written information security program is not fully in place. Policies surrounding risk management have not been implemented. 􀀄 Unsupported operating systems in use. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the BOCES related to compliance with GLBA. Auditor’s Recommendation: The BOCES should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The BOCES should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The BOCES is actively engaged in a formal Request for Proposals (RFP) process to procure a qualified vendor for the design and implementation of a comprehensive Information Security Program aligned with GLBA requirements. The selected vendor will conduct a full assessment of existing controls, help develop required policies and procedures, and assist in ensuring full compliance with GLBA mandates, including employee training, information systems safeguards, and incident response protocols. This process will be completed by December 2025. As part of the upcoming vendor engagement, a complete data inventory and structured risk assessment will be conducted. This will identify where sensitive data is collected, stored, transmitted, and processed, and will form the basis for implementing technical and administrative safeguards. This process will be completed by March 2026. In the past several years the BOCES has reviewed several student systems and was unable to identify a system that met all of their needs due to the differences between requirements applicable to school districts and those appropriate to the unique needs of a BOCES. The organization is on track to discontinue the use of all unsupported operating systems by June 30, 2026.