FAC Explorer

Audit 355305

FY End
2024-06-30
Total Expended
$8.03M
Findings
36
Programs
9
Organization: Knox College (IL)
Year: 2024 Accepted: 2025-05-01
Auditor: Rsm US LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
559045 2024-006 Material Weakness - N
559046 2024-006 Material Weakness - N
559047 2024-006 Material Weakness - N
559048 2024-006 Material Weakness - N
559049 2024-002 Significant Deficiency - L
559050 2024-003 Significant Deficiency - N
559051 2024-004 Significant Deficiency - N
559052 2024-005 Significant Deficiency - N
559053 2024-006 Material Weakness - N
559054 2024-002 Material Weakness - N
559055 2024-002 Material Weakness - N
559056 2024-005 Significant Deficiency - N
559057 2024-002 Significant Deficiency - L
559058 2024-002 Significant Deficiency - L
559059 2024-004 Significant Deficiency - N
559060 2024-005 Significant Deficiency - N
559061 2024-002 Material Weakness - N
559062 2024-002 Material Weakness - N
1135487 2024-006 Material Weakness - N
1135488 2024-006 Material Weakness - N
1135489 2024-006 Material Weakness - N
1135490 2024-006 Material Weakness - N
1135491 2024-002 Significant Deficiency - L
1135492 2024-003 Significant Deficiency - N
1135493 2024-004 Significant Deficiency - N
1135494 2024-005 Significant Deficiency - N
1135495 2024-006 Material Weakness - N
1135496 2024-002 Material Weakness - N
1135497 2024-002 Material Weakness - N
1135498 2024-005 Significant Deficiency - N
1135499 2024-002 Significant Deficiency - L
1135500 2024-002 Significant Deficiency - L
1135501 2024-004 Significant Deficiency - N
1135502 2024-005 Significant Deficiency - N
1135503 2024-002 Material Weakness - N
1135504 2024-002 Material Weakness - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $4.50M Yes 5
84.063 Federal Pell Grant Program $1.74M Yes 4
84.038 Federal Perkins Loan Program_federal Capital Contributions $532,544 Yes 2
84.042 Trio Student Support Services $399,630 Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $294,425 Yes 2
84.217 Trio McNair Post-Baccalaureate Achievement $286,741 Yes 1
84.033 Federal Work-Study Program $196,911 Yes 3
45.162 Promotion of the Humanities Teaching and Learning Resources and Curriculum Development $54,852 - 0
47.070 Computer and Information Science and Engineering $33,795 - 0

Contacts

Name Title Type
WFM6ZQMN9PM1 Angela Hopping Auditee
3093417505 Anna Kyer Auditor
No contacts on file

Notes to SEFA

Title: Note 1. Basis of Presentation Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimus indirect cost rate allowed under Uniform Guidance. The accompanying schedule of expenditures of federal awards (the “Schedule”) includes the federal award activity of Knox College (the College) under programs of the federal government for the year ended June 30, 2024. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, it is not intended to and does not present the financial position, changes in net assets, or cash flows of the College. No funds were identified as having been provided by subrecipients by the College, and accordingly, no funds identified in the Schedule are attributable to subrecipient entities. There were no federal awards expended for noncash assistance or insurance at year-end.
Title: Note 2. Summary of Significant Accounting Policies Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimus indirect cost rate allowed under Uniform Guidance. Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement.
Title: Note 3. Loans Outstanding Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimus indirect cost rate allowed under Uniform Guidance. The amount presented for the Federal Perkins Loans represents total loans outstanding at July 1, 2023, for which the U.S. Department of Education imposes continuing compliance requirements. As of June 30, 2024, loans outstanding totaled $532,544. Such amounts have been recorded net of an allowance of $26,627 in the College’s financial statements.
Title: Note 4. Amounts Required for Matching Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimus indirect cost rate allowed under Uniform Guidance. To comply with program requirements, amounts required to be expended from nonfederal sources have been excluded from reported expenditures. For June 30, 2024, the College’s portion of expenditures was as follows: Amount Provided for Program Title Federal ALN Matching Federal Work Study Program 84.033 $49,228
Title: Note 5. Indirect Cost Rate Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimus indirect cost rate allowed under Uniform Guidance. The College has elected not to use the 10% de minimus indirect cost rate allowed under Uniform Guidance.

Finding Details

Finding 2024-006
2024-006—Graham Leach Bliley Act – Student Information Security U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Work Study Program (84.003) Federal Pell Grant Program (84.063) Federal Perkins Loan Program (84.038) Federal Supplemental Educational Opportunity Grants (84.007) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.303(a)) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission.   The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition The College’s written information security program did not include the following elements required by regulation as agreed to in the PPA: • The College has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the College included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The College’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The College has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The College has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment.   • The College has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The College has not developed policies and procedures to oversee information service providers Cause The College’s information security policy did not include all of the required elements, in line with the Gramm-Leach-Bliley Act. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context Under a College’s PPA with the U.S. Department of Education, institutions must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs Recommendation We recommend the College complete these requirements, in order to be compliance with the Gramm-Leach-Bliley Act. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-006
2024-006—Graham Leach Bliley Act – Student Information Security U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Work Study Program (84.003) Federal Pell Grant Program (84.063) Federal Perkins Loan Program (84.038) Federal Supplemental Educational Opportunity Grants (84.007) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.303(a)) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission.   The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition The College’s written information security program did not include the following elements required by regulation as agreed to in the PPA: • The College has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the College included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The College’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The College has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The College has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment.   • The College has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The College has not developed policies and procedures to oversee information service providers Cause The College’s information security policy did not include all of the required elements, in line with the Gramm-Leach-Bliley Act. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context Under a College’s PPA with the U.S. Department of Education, institutions must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs Recommendation We recommend the College complete these requirements, in order to be compliance with the Gramm-Leach-Bliley Act. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-006
2024-006—Graham Leach Bliley Act – Student Information Security U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Work Study Program (84.003) Federal Pell Grant Program (84.063) Federal Perkins Loan Program (84.038) Federal Supplemental Educational Opportunity Grants (84.007) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.303(a)) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission.   The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition The College’s written information security program did not include the following elements required by regulation as agreed to in the PPA: • The College has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the College included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The College’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The College has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The College has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment.   • The College has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The College has not developed policies and procedures to oversee information service providers Cause The College’s information security policy did not include all of the required elements, in line with the Gramm-Leach-Bliley Act. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context Under a College’s PPA with the U.S. Department of Education, institutions must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs Recommendation We recommend the College complete these requirements, in order to be compliance with the Gramm-Leach-Bliley Act. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-006
2024-006—Graham Leach Bliley Act – Student Information Security U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Work Study Program (84.003) Federal Pell Grant Program (84.063) Federal Perkins Loan Program (84.038) Federal Supplemental Educational Opportunity Grants (84.007) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.303(a)) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission.   The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition The College’s written information security program did not include the following elements required by regulation as agreed to in the PPA: • The College has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the College included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The College’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The College has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The College has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment.   • The College has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The College has not developed policies and procedures to oversee information service providers Cause The College’s information security policy did not include all of the required elements, in line with the Gramm-Leach-Bliley Act. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context Under a College’s PPA with the U.S. Department of Education, institutions must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs Recommendation We recommend the College complete these requirements, in order to be compliance with the Gramm-Leach-Bliley Act. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-002
2024-002—Late submission of the Single Audit to the Federal Auditing Clearinghouse U.S. Department of Education Student Financial Assistance Programs Cluster TRIO Cluster Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.512(a)) requires that each organization’s audit must be completed and the data collection form and reporting package should be submitted within the earlier of 30 days after receipt of the auditor’s report or nine months after the end of the audit period. Condition The Single Audit package for the College’s fiscal year ended June 30, 2024 should have been submitted to the Federal Audit Clearinghouse by March 31, 2024. The College’s fiscal year 2024 Single Audit package was not submitted to the Federal Audit Clearinghouse within the required time frame. Cause This was due to staffing constraints at the College as well as the implementation of several new systems which impacted the College’s delivery of final trial balances and requested workpapers at the scheduled time of the audit. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Context As of the date of issuance of the single audit report (which is subsequent to the College’s deadline of March 31, 2024), the single audit report was not issued within the required deadline. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend that the College review current processes and controls in place in order to ensure that future submissions are reported timely. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-003
2024-003—Error in Reporting for National Student Loan Data System (NSLDS) U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (34 CFR 685.309) requires enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. According to the NSLDS Enrollment Reporting Guide, a student’s Program-Level enrollment status should be reported with the same enrollment status as that student’s campus-level enrollment status for all programs the student is enrolled in at that location, even if the student is not currently taking coursework that applies to a particular program. If the student has withdrawn or graduated from an academic program, a “terminal enrollment status” of ‘W’ or ‘G,’ as appropriate, should be reported for that program, even if the student is still taking coursework applicable to other programs in which the student is enrolled. Uniform Grant Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure enrollment reporting is completed properly. Condition: The College did not properly report the student enrollment change for students who received federal student aid to the NSLDS. The College did not timely report three students’ Program-Level or Campus-Level enrollment status change to NSLDS. Out of the 11 students tested, we noted 3 students (28%) whose status change at the Program-Level and Campus-Level was not timely reported to NSLDS. The College did not have formally documented controls related to the process of enrollment reporting, which is required under Uniform Grant Guidance. Cause An additional submission to the NSLDS was required for the students who withdrew during the term to meet the reporting requirements that did not occur. The College noted that changes related to mid-term withdrawals are not completed until the end of the term, which is outside the allowable window of reporting noted above. Effect Noncompliance with federal regulations could result in the loss of future federal funding.   Context We tested 11 students who received federal student aid with enrollment changes. For each student tested, management provided documentation from NSLDS showing when the student’s status changed, and when it was reported. Out of the 11 students tested, we noted 3 students (28%) whose status change at the Program-Level and Campus-Level was not timely reported to NSLDS. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend the College review current processes and implement updated processes and controls for reporting to NSLDS, implementing procedures to ensure submissions are reported timely and accurately. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-004
2024-004—Common Origination and Disbursement Reporting U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Pell Grant Program (84.063) Federal Award Year: 2023-2024 Repeat Finding: No Criteria Per the Federal Student Aid Handbook Volume 8 Chapter 3: “For each Direct Loan that a school disburses to a student or parent, the school must submit a loan award record to the Common Origination and Disbursement (COD) system that includes the student’s grade level, the loan period and academic year dates, the loan amount, the anticipated and actual dates and amounts of the loan disbursements, and other information. For all Direct Loans, you must document the student’s Cost of Attendance (COA), Expected Family Contribution (EFC), and Estimated Financial Assistance (EFA) in the student’s file. This information must be made available to the Department upon request. The specific Direct Loan amount that a student or parent borrower is eligible to receive is determined based on various factors such as the student’s COA, EFC, EFA, and remaining eligibility under the annual and aggregate loan limits information.” Condition The College incorrectly reported the COA to COD for 3 students. Out of the 34 students tested, we noted 3 students (8.8%) whose COA was incorrectly reported to COD. The incorrect reporting did not have an effect on the total award given to students (reporting only). The College did not have formally documented controls related to the processes of enrollment reporting and reporting, which is required under Uniform Grant Guidance.   Cause A manual update to each student’s COA in the COD system was required, but did not occur. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context We tested 34 students who received Federal Direct Student Loans. For each student tested, management provided documentation from COD, showing the reported amount of COA to COD. Out of the 34 students tested, we noted 3 students (8.8%) whose COA was incorrectly reported to COD. Recommendation We recommend the College review current processes and implement updated processes and controls for reporting to COD, implementing procedures to ensure reporting to COD is accurate. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-005
2024-005—Disbursements to or on Behalf of Students (Credit Balances) U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Pell Grant Program (84.063) Federal Work Study (84.033) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (34 CFR 668.164(h)(2)) requires that Title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than (i) Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or (ii) Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition The College did not pay the Title IV credit balance to the student directly for one student within the required timeline noted above. Out of the 40 students tested, we noted one student (2.5%) who’s credit balance was not paid directly to the student within the required timeframe noted above. The incorrect timing did not have an effect on the total award given to students (timing only). The College did not have formally documented controls related to the process associated with disbursements to or on behalf of students (credit balances), which is required under Uniform Grant Guidance. Cause A refund to the student was required to be made within the required timeframe, and was done outside the required timeframe. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context We tested 40 students who had a credit balance of Title IV funds during the fiscal year ended June 30, 2024. For each student tested, management provided documentation from their student information system, showing the when the student was in a credit balance, and when the credit balance was disbursed to the student. Out of the 40 students tested, we noted 1 student (2.5%) whose credit balance was not timely refunded. The student had a credit balance as of March 19, 2024, and the student’s credit balance was refunded to the student on April 23, 2024. Recommendation We recommend the College review current processes and implement updated processes and controls for timely student credit balance refunds. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-006
2024-006—Graham Leach Bliley Act – Student Information Security U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Work Study Program (84.003) Federal Pell Grant Program (84.063) Federal Perkins Loan Program (84.038) Federal Supplemental Educational Opportunity Grants (84.007) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.303(a)) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission.   The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition The College’s written information security program did not include the following elements required by regulation as agreed to in the PPA: • The College has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the College included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The College’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The College has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The College has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment.   • The College has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The College has not developed policies and procedures to oversee information service providers Cause The College’s information security policy did not include all of the required elements, in line with the Gramm-Leach-Bliley Act. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context Under a College’s PPA with the U.S. Department of Education, institutions must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs Recommendation We recommend the College complete these requirements, in order to be compliance with the Gramm-Leach-Bliley Act. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-002
2024-002—Late submission of the Single Audit to the Federal Auditing Clearinghouse U.S. Department of Education Student Financial Assistance Programs Cluster TRIO Cluster Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.512(a)) requires that each organization’s audit must be completed and the data collection form and reporting package should be submitted within the earlier of 30 days after receipt of the auditor’s report or nine months after the end of the audit period. Condition The Single Audit package for the College’s fiscal year ended June 30, 2024 should have been submitted to the Federal Audit Clearinghouse by March 31, 2024. The College’s fiscal year 2024 Single Audit package was not submitted to the Federal Audit Clearinghouse within the required time frame. Cause This was due to staffing constraints at the College as well as the implementation of several new systems which impacted the College’s delivery of final trial balances and requested workpapers at the scheduled time of the audit. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Context As of the date of issuance of the single audit report (which is subsequent to the College’s deadline of March 31, 2024), the single audit report was not issued within the required deadline. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend that the College review current processes and controls in place in order to ensure that future submissions are reported timely. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-002
2024-002—Late submission of the Single Audit to the Federal Auditing Clearinghouse U.S. Department of Education Student Financial Assistance Programs Cluster TRIO Cluster Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.512(a)) requires that each organization’s audit must be completed and the data collection form and reporting package should be submitted within the earlier of 30 days after receipt of the auditor’s report or nine months after the end of the audit period. Condition The Single Audit package for the College’s fiscal year ended June 30, 2024 should have been submitted to the Federal Audit Clearinghouse by March 31, 2024. The College’s fiscal year 2024 Single Audit package was not submitted to the Federal Audit Clearinghouse within the required time frame. Cause This was due to staffing constraints at the College as well as the implementation of several new systems which impacted the College’s delivery of final trial balances and requested workpapers at the scheduled time of the audit. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Context As of the date of issuance of the single audit report (which is subsequent to the College’s deadline of March 31, 2024), the single audit report was not issued within the required deadline. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend that the College review current processes and controls in place in order to ensure that future submissions are reported timely. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-005
2024-005—Disbursements to or on Behalf of Students (Credit Balances) U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Pell Grant Program (84.063) Federal Work Study (84.033) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (34 CFR 668.164(h)(2)) requires that Title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than (i) Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or (ii) Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition The College did not pay the Title IV credit balance to the student directly for one student within the required timeline noted above. Out of the 40 students tested, we noted one student (2.5%) who’s credit balance was not paid directly to the student within the required timeframe noted above. The incorrect timing did not have an effect on the total award given to students (timing only). The College did not have formally documented controls related to the process associated with disbursements to or on behalf of students (credit balances), which is required under Uniform Grant Guidance. Cause A refund to the student was required to be made within the required timeframe, and was done outside the required timeframe. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context We tested 40 students who had a credit balance of Title IV funds during the fiscal year ended June 30, 2024. For each student tested, management provided documentation from their student information system, showing the when the student was in a credit balance, and when the credit balance was disbursed to the student. Out of the 40 students tested, we noted 1 student (2.5%) whose credit balance was not timely refunded. The student had a credit balance as of March 19, 2024, and the student’s credit balance was refunded to the student on April 23, 2024. Recommendation We recommend the College review current processes and implement updated processes and controls for timely student credit balance refunds. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-002
2024-002—Late submission of the Single Audit to the Federal Auditing Clearinghouse U.S. Department of Education Student Financial Assistance Programs Cluster TRIO Cluster Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.512(a)) requires that each organization’s audit must be completed and the data collection form and reporting package should be submitted within the earlier of 30 days after receipt of the auditor’s report or nine months after the end of the audit period. Condition The Single Audit package for the College’s fiscal year ended June 30, 2024 should have been submitted to the Federal Audit Clearinghouse by March 31, 2024. The College’s fiscal year 2024 Single Audit package was not submitted to the Federal Audit Clearinghouse within the required time frame. Cause This was due to staffing constraints at the College as well as the implementation of several new systems which impacted the College’s delivery of final trial balances and requested workpapers at the scheduled time of the audit. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Context As of the date of issuance of the single audit report (which is subsequent to the College’s deadline of March 31, 2024), the single audit report was not issued within the required deadline. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend that the College review current processes and controls in place in order to ensure that future submissions are reported timely. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-002
2024-002—Late submission of the Single Audit to the Federal Auditing Clearinghouse U.S. Department of Education Student Financial Assistance Programs Cluster TRIO Cluster Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.512(a)) requires that each organization’s audit must be completed and the data collection form and reporting package should be submitted within the earlier of 30 days after receipt of the auditor’s report or nine months after the end of the audit period. Condition The Single Audit package for the College’s fiscal year ended June 30, 2024 should have been submitted to the Federal Audit Clearinghouse by March 31, 2024. The College’s fiscal year 2024 Single Audit package was not submitted to the Federal Audit Clearinghouse within the required time frame. Cause This was due to staffing constraints at the College as well as the implementation of several new systems which impacted the College’s delivery of final trial balances and requested workpapers at the scheduled time of the audit. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Context As of the date of issuance of the single audit report (which is subsequent to the College’s deadline of March 31, 2024), the single audit report was not issued within the required deadline. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend that the College review current processes and controls in place in order to ensure that future submissions are reported timely. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-004
2024-004—Common Origination and Disbursement Reporting U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Pell Grant Program (84.063) Federal Award Year: 2023-2024 Repeat Finding: No Criteria Per the Federal Student Aid Handbook Volume 8 Chapter 3: “For each Direct Loan that a school disburses to a student or parent, the school must submit a loan award record to the Common Origination and Disbursement (COD) system that includes the student’s grade level, the loan period and academic year dates, the loan amount, the anticipated and actual dates and amounts of the loan disbursements, and other information. For all Direct Loans, you must document the student’s Cost of Attendance (COA), Expected Family Contribution (EFC), and Estimated Financial Assistance (EFA) in the student’s file. This information must be made available to the Department upon request. The specific Direct Loan amount that a student or parent borrower is eligible to receive is determined based on various factors such as the student’s COA, EFC, EFA, and remaining eligibility under the annual and aggregate loan limits information.” Condition The College incorrectly reported the COA to COD for 3 students. Out of the 34 students tested, we noted 3 students (8.8%) whose COA was incorrectly reported to COD. The incorrect reporting did not have an effect on the total award given to students (reporting only). The College did not have formally documented controls related to the processes of enrollment reporting and reporting, which is required under Uniform Grant Guidance.   Cause A manual update to each student’s COA in the COD system was required, but did not occur. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context We tested 34 students who received Federal Direct Student Loans. For each student tested, management provided documentation from COD, showing the reported amount of COA to COD. Out of the 34 students tested, we noted 3 students (8.8%) whose COA was incorrectly reported to COD. Recommendation We recommend the College review current processes and implement updated processes and controls for reporting to COD, implementing procedures to ensure reporting to COD is accurate. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-005
2024-005—Disbursements to or on Behalf of Students (Credit Balances) U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Pell Grant Program (84.063) Federal Work Study (84.033) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (34 CFR 668.164(h)(2)) requires that Title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than (i) Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or (ii) Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition The College did not pay the Title IV credit balance to the student directly for one student within the required timeline noted above. Out of the 40 students tested, we noted one student (2.5%) who’s credit balance was not paid directly to the student within the required timeframe noted above. The incorrect timing did not have an effect on the total award given to students (timing only). The College did not have formally documented controls related to the process associated with disbursements to or on behalf of students (credit balances), which is required under Uniform Grant Guidance. Cause A refund to the student was required to be made within the required timeframe, and was done outside the required timeframe. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context We tested 40 students who had a credit balance of Title IV funds during the fiscal year ended June 30, 2024. For each student tested, management provided documentation from their student information system, showing the when the student was in a credit balance, and when the credit balance was disbursed to the student. Out of the 40 students tested, we noted 1 student (2.5%) whose credit balance was not timely refunded. The student had a credit balance as of March 19, 2024, and the student’s credit balance was refunded to the student on April 23, 2024. Recommendation We recommend the College review current processes and implement updated processes and controls for timely student credit balance refunds. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-002
2024-002—Late submission of the Single Audit to the Federal Auditing Clearinghouse U.S. Department of Education Student Financial Assistance Programs Cluster TRIO Cluster Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.512(a)) requires that each organization’s audit must be completed and the data collection form and reporting package should be submitted within the earlier of 30 days after receipt of the auditor’s report or nine months after the end of the audit period. Condition The Single Audit package for the College’s fiscal year ended June 30, 2024 should have been submitted to the Federal Audit Clearinghouse by March 31, 2024. The College’s fiscal year 2024 Single Audit package was not submitted to the Federal Audit Clearinghouse within the required time frame. Cause This was due to staffing constraints at the College as well as the implementation of several new systems which impacted the College’s delivery of final trial balances and requested workpapers at the scheduled time of the audit. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Context As of the date of issuance of the single audit report (which is subsequent to the College’s deadline of March 31, 2024), the single audit report was not issued within the required deadline. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend that the College review current processes and controls in place in order to ensure that future submissions are reported timely. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-002
2024-002—Late submission of the Single Audit to the Federal Auditing Clearinghouse U.S. Department of Education Student Financial Assistance Programs Cluster TRIO Cluster Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.512(a)) requires that each organization’s audit must be completed and the data collection form and reporting package should be submitted within the earlier of 30 days after receipt of the auditor’s report or nine months after the end of the audit period. Condition The Single Audit package for the College’s fiscal year ended June 30, 2024 should have been submitted to the Federal Audit Clearinghouse by March 31, 2024. The College’s fiscal year 2024 Single Audit package was not submitted to the Federal Audit Clearinghouse within the required time frame. Cause This was due to staffing constraints at the College as well as the implementation of several new systems which impacted the College’s delivery of final trial balances and requested workpapers at the scheduled time of the audit. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Context As of the date of issuance of the single audit report (which is subsequent to the College’s deadline of March 31, 2024), the single audit report was not issued within the required deadline. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend that the College review current processes and controls in place in order to ensure that future submissions are reported timely. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-006
2024-006—Graham Leach Bliley Act – Student Information Security U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Work Study Program (84.003) Federal Pell Grant Program (84.063) Federal Perkins Loan Program (84.038) Federal Supplemental Educational Opportunity Grants (84.007) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.303(a)) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission.   The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition The College’s written information security program did not include the following elements required by regulation as agreed to in the PPA: • The College has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the College included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The College’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The College has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The College has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment.   • The College has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The College has not developed policies and procedures to oversee information service providers Cause The College’s information security policy did not include all of the required elements, in line with the Gramm-Leach-Bliley Act. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context Under a College’s PPA with the U.S. Department of Education, institutions must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs Recommendation We recommend the College complete these requirements, in order to be compliance with the Gramm-Leach-Bliley Act. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-006
2024-006—Graham Leach Bliley Act – Student Information Security U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Work Study Program (84.003) Federal Pell Grant Program (84.063) Federal Perkins Loan Program (84.038) Federal Supplemental Educational Opportunity Grants (84.007) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.303(a)) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission.   The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition The College’s written information security program did not include the following elements required by regulation as agreed to in the PPA: • The College has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the College included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The College’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The College has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The College has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment.   • The College has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The College has not developed policies and procedures to oversee information service providers Cause The College’s information security policy did not include all of the required elements, in line with the Gramm-Leach-Bliley Act. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context Under a College’s PPA with the U.S. Department of Education, institutions must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs Recommendation We recommend the College complete these requirements, in order to be compliance with the Gramm-Leach-Bliley Act. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-006
2024-006—Graham Leach Bliley Act – Student Information Security U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Work Study Program (84.003) Federal Pell Grant Program (84.063) Federal Perkins Loan Program (84.038) Federal Supplemental Educational Opportunity Grants (84.007) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.303(a)) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission.   The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition The College’s written information security program did not include the following elements required by regulation as agreed to in the PPA: • The College has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the College included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The College’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The College has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The College has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment.   • The College has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The College has not developed policies and procedures to oversee information service providers Cause The College’s information security policy did not include all of the required elements, in line with the Gramm-Leach-Bliley Act. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context Under a College’s PPA with the U.S. Department of Education, institutions must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs Recommendation We recommend the College complete these requirements, in order to be compliance with the Gramm-Leach-Bliley Act. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-006
2024-006—Graham Leach Bliley Act – Student Information Security U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Work Study Program (84.003) Federal Pell Grant Program (84.063) Federal Perkins Loan Program (84.038) Federal Supplemental Educational Opportunity Grants (84.007) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.303(a)) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission.   The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition The College’s written information security program did not include the following elements required by regulation as agreed to in the PPA: • The College has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the College included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The College’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The College has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The College has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment.   • The College has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The College has not developed policies and procedures to oversee information service providers Cause The College’s information security policy did not include all of the required elements, in line with the Gramm-Leach-Bliley Act. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context Under a College’s PPA with the U.S. Department of Education, institutions must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs Recommendation We recommend the College complete these requirements, in order to be compliance with the Gramm-Leach-Bliley Act. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-002
2024-002—Late submission of the Single Audit to the Federal Auditing Clearinghouse U.S. Department of Education Student Financial Assistance Programs Cluster TRIO Cluster Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.512(a)) requires that each organization’s audit must be completed and the data collection form and reporting package should be submitted within the earlier of 30 days after receipt of the auditor’s report or nine months after the end of the audit period. Condition The Single Audit package for the College’s fiscal year ended June 30, 2024 should have been submitted to the Federal Audit Clearinghouse by March 31, 2024. The College’s fiscal year 2024 Single Audit package was not submitted to the Federal Audit Clearinghouse within the required time frame. Cause This was due to staffing constraints at the College as well as the implementation of several new systems which impacted the College’s delivery of final trial balances and requested workpapers at the scheduled time of the audit. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Context As of the date of issuance of the single audit report (which is subsequent to the College’s deadline of March 31, 2024), the single audit report was not issued within the required deadline. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend that the College review current processes and controls in place in order to ensure that future submissions are reported timely. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-003
2024-003—Error in Reporting for National Student Loan Data System (NSLDS) U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (34 CFR 685.309) requires enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. According to the NSLDS Enrollment Reporting Guide, a student’s Program-Level enrollment status should be reported with the same enrollment status as that student’s campus-level enrollment status for all programs the student is enrolled in at that location, even if the student is not currently taking coursework that applies to a particular program. If the student has withdrawn or graduated from an academic program, a “terminal enrollment status” of ‘W’ or ‘G,’ as appropriate, should be reported for that program, even if the student is still taking coursework applicable to other programs in which the student is enrolled. Uniform Grant Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure enrollment reporting is completed properly. Condition: The College did not properly report the student enrollment change for students who received federal student aid to the NSLDS. The College did not timely report three students’ Program-Level or Campus-Level enrollment status change to NSLDS. Out of the 11 students tested, we noted 3 students (28%) whose status change at the Program-Level and Campus-Level was not timely reported to NSLDS. The College did not have formally documented controls related to the process of enrollment reporting, which is required under Uniform Grant Guidance. Cause An additional submission to the NSLDS was required for the students who withdrew during the term to meet the reporting requirements that did not occur. The College noted that changes related to mid-term withdrawals are not completed until the end of the term, which is outside the allowable window of reporting noted above. Effect Noncompliance with federal regulations could result in the loss of future federal funding.   Context We tested 11 students who received federal student aid with enrollment changes. For each student tested, management provided documentation from NSLDS showing when the student’s status changed, and when it was reported. Out of the 11 students tested, we noted 3 students (28%) whose status change at the Program-Level and Campus-Level was not timely reported to NSLDS. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend the College review current processes and implement updated processes and controls for reporting to NSLDS, implementing procedures to ensure submissions are reported timely and accurately. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-004
2024-004—Common Origination and Disbursement Reporting U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Pell Grant Program (84.063) Federal Award Year: 2023-2024 Repeat Finding: No Criteria Per the Federal Student Aid Handbook Volume 8 Chapter 3: “For each Direct Loan that a school disburses to a student or parent, the school must submit a loan award record to the Common Origination and Disbursement (COD) system that includes the student’s grade level, the loan period and academic year dates, the loan amount, the anticipated and actual dates and amounts of the loan disbursements, and other information. For all Direct Loans, you must document the student’s Cost of Attendance (COA), Expected Family Contribution (EFC), and Estimated Financial Assistance (EFA) in the student’s file. This information must be made available to the Department upon request. The specific Direct Loan amount that a student or parent borrower is eligible to receive is determined based on various factors such as the student’s COA, EFC, EFA, and remaining eligibility under the annual and aggregate loan limits information.” Condition The College incorrectly reported the COA to COD for 3 students. Out of the 34 students tested, we noted 3 students (8.8%) whose COA was incorrectly reported to COD. The incorrect reporting did not have an effect on the total award given to students (reporting only). The College did not have formally documented controls related to the processes of enrollment reporting and reporting, which is required under Uniform Grant Guidance.   Cause A manual update to each student’s COA in the COD system was required, but did not occur. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context We tested 34 students who received Federal Direct Student Loans. For each student tested, management provided documentation from COD, showing the reported amount of COA to COD. Out of the 34 students tested, we noted 3 students (8.8%) whose COA was incorrectly reported to COD. Recommendation We recommend the College review current processes and implement updated processes and controls for reporting to COD, implementing procedures to ensure reporting to COD is accurate. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-005
2024-005—Disbursements to or on Behalf of Students (Credit Balances) U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Pell Grant Program (84.063) Federal Work Study (84.033) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (34 CFR 668.164(h)(2)) requires that Title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than (i) Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or (ii) Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition The College did not pay the Title IV credit balance to the student directly for one student within the required timeline noted above. Out of the 40 students tested, we noted one student (2.5%) who’s credit balance was not paid directly to the student within the required timeframe noted above. The incorrect timing did not have an effect on the total award given to students (timing only). The College did not have formally documented controls related to the process associated with disbursements to or on behalf of students (credit balances), which is required under Uniform Grant Guidance. Cause A refund to the student was required to be made within the required timeframe, and was done outside the required timeframe. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context We tested 40 students who had a credit balance of Title IV funds during the fiscal year ended June 30, 2024. For each student tested, management provided documentation from their student information system, showing the when the student was in a credit balance, and when the credit balance was disbursed to the student. Out of the 40 students tested, we noted 1 student (2.5%) whose credit balance was not timely refunded. The student had a credit balance as of March 19, 2024, and the student’s credit balance was refunded to the student on April 23, 2024. Recommendation We recommend the College review current processes and implement updated processes and controls for timely student credit balance refunds. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-006
2024-006—Graham Leach Bliley Act – Student Information Security U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Work Study Program (84.003) Federal Pell Grant Program (84.063) Federal Perkins Loan Program (84.038) Federal Supplemental Educational Opportunity Grants (84.007) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.303(a)) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission.   The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition The College’s written information security program did not include the following elements required by regulation as agreed to in the PPA: • The College has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the College included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The College’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The College has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The College has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment.   • The College has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The College has not developed policies and procedures to oversee information service providers Cause The College’s information security policy did not include all of the required elements, in line with the Gramm-Leach-Bliley Act. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context Under a College’s PPA with the U.S. Department of Education, institutions must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs Recommendation We recommend the College complete these requirements, in order to be compliance with the Gramm-Leach-Bliley Act. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-002
2024-002—Late submission of the Single Audit to the Federal Auditing Clearinghouse U.S. Department of Education Student Financial Assistance Programs Cluster TRIO Cluster Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.512(a)) requires that each organization’s audit must be completed and the data collection form and reporting package should be submitted within the earlier of 30 days after receipt of the auditor’s report or nine months after the end of the audit period. Condition The Single Audit package for the College’s fiscal year ended June 30, 2024 should have been submitted to the Federal Audit Clearinghouse by March 31, 2024. The College’s fiscal year 2024 Single Audit package was not submitted to the Federal Audit Clearinghouse within the required time frame. Cause This was due to staffing constraints at the College as well as the implementation of several new systems which impacted the College’s delivery of final trial balances and requested workpapers at the scheduled time of the audit. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Context As of the date of issuance of the single audit report (which is subsequent to the College’s deadline of March 31, 2024), the single audit report was not issued within the required deadline. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend that the College review current processes and controls in place in order to ensure that future submissions are reported timely. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-002
2024-002—Late submission of the Single Audit to the Federal Auditing Clearinghouse U.S. Department of Education Student Financial Assistance Programs Cluster TRIO Cluster Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.512(a)) requires that each organization’s audit must be completed and the data collection form and reporting package should be submitted within the earlier of 30 days after receipt of the auditor’s report or nine months after the end of the audit period. Condition The Single Audit package for the College’s fiscal year ended June 30, 2024 should have been submitted to the Federal Audit Clearinghouse by March 31, 2024. The College’s fiscal year 2024 Single Audit package was not submitted to the Federal Audit Clearinghouse within the required time frame. Cause This was due to staffing constraints at the College as well as the implementation of several new systems which impacted the College’s delivery of final trial balances and requested workpapers at the scheduled time of the audit. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Context As of the date of issuance of the single audit report (which is subsequent to the College’s deadline of March 31, 2024), the single audit report was not issued within the required deadline. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend that the College review current processes and controls in place in order to ensure that future submissions are reported timely. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-005
2024-005—Disbursements to or on Behalf of Students (Credit Balances) U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Pell Grant Program (84.063) Federal Work Study (84.033) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (34 CFR 668.164(h)(2)) requires that Title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than (i) Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or (ii) Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition The College did not pay the Title IV credit balance to the student directly for one student within the required timeline noted above. Out of the 40 students tested, we noted one student (2.5%) who’s credit balance was not paid directly to the student within the required timeframe noted above. The incorrect timing did not have an effect on the total award given to students (timing only). The College did not have formally documented controls related to the process associated with disbursements to or on behalf of students (credit balances), which is required under Uniform Grant Guidance. Cause A refund to the student was required to be made within the required timeframe, and was done outside the required timeframe. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context We tested 40 students who had a credit balance of Title IV funds during the fiscal year ended June 30, 2024. For each student tested, management provided documentation from their student information system, showing the when the student was in a credit balance, and when the credit balance was disbursed to the student. Out of the 40 students tested, we noted 1 student (2.5%) whose credit balance was not timely refunded. The student had a credit balance as of March 19, 2024, and the student’s credit balance was refunded to the student on April 23, 2024. Recommendation We recommend the College review current processes and implement updated processes and controls for timely student credit balance refunds. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-002
2024-002—Late submission of the Single Audit to the Federal Auditing Clearinghouse U.S. Department of Education Student Financial Assistance Programs Cluster TRIO Cluster Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.512(a)) requires that each organization’s audit must be completed and the data collection form and reporting package should be submitted within the earlier of 30 days after receipt of the auditor’s report or nine months after the end of the audit period. Condition The Single Audit package for the College’s fiscal year ended June 30, 2024 should have been submitted to the Federal Audit Clearinghouse by March 31, 2024. The College’s fiscal year 2024 Single Audit package was not submitted to the Federal Audit Clearinghouse within the required time frame. Cause This was due to staffing constraints at the College as well as the implementation of several new systems which impacted the College’s delivery of final trial balances and requested workpapers at the scheduled time of the audit. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Context As of the date of issuance of the single audit report (which is subsequent to the College’s deadline of March 31, 2024), the single audit report was not issued within the required deadline. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend that the College review current processes and controls in place in order to ensure that future submissions are reported timely. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-002
2024-002—Late submission of the Single Audit to the Federal Auditing Clearinghouse U.S. Department of Education Student Financial Assistance Programs Cluster TRIO Cluster Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.512(a)) requires that each organization’s audit must be completed and the data collection form and reporting package should be submitted within the earlier of 30 days after receipt of the auditor’s report or nine months after the end of the audit period. Condition The Single Audit package for the College’s fiscal year ended June 30, 2024 should have been submitted to the Federal Audit Clearinghouse by March 31, 2024. The College’s fiscal year 2024 Single Audit package was not submitted to the Federal Audit Clearinghouse within the required time frame. Cause This was due to staffing constraints at the College as well as the implementation of several new systems which impacted the College’s delivery of final trial balances and requested workpapers at the scheduled time of the audit. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Context As of the date of issuance of the single audit report (which is subsequent to the College’s deadline of March 31, 2024), the single audit report was not issued within the required deadline. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend that the College review current processes and controls in place in order to ensure that future submissions are reported timely. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-004
2024-004—Common Origination and Disbursement Reporting U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Pell Grant Program (84.063) Federal Award Year: 2023-2024 Repeat Finding: No Criteria Per the Federal Student Aid Handbook Volume 8 Chapter 3: “For each Direct Loan that a school disburses to a student or parent, the school must submit a loan award record to the Common Origination and Disbursement (COD) system that includes the student’s grade level, the loan period and academic year dates, the loan amount, the anticipated and actual dates and amounts of the loan disbursements, and other information. For all Direct Loans, you must document the student’s Cost of Attendance (COA), Expected Family Contribution (EFC), and Estimated Financial Assistance (EFA) in the student’s file. This information must be made available to the Department upon request. The specific Direct Loan amount that a student or parent borrower is eligible to receive is determined based on various factors such as the student’s COA, EFC, EFA, and remaining eligibility under the annual and aggregate loan limits information.” Condition The College incorrectly reported the COA to COD for 3 students. Out of the 34 students tested, we noted 3 students (8.8%) whose COA was incorrectly reported to COD. The incorrect reporting did not have an effect on the total award given to students (reporting only). The College did not have formally documented controls related to the processes of enrollment reporting and reporting, which is required under Uniform Grant Guidance.   Cause A manual update to each student’s COA in the COD system was required, but did not occur. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context We tested 34 students who received Federal Direct Student Loans. For each student tested, management provided documentation from COD, showing the reported amount of COA to COD. Out of the 34 students tested, we noted 3 students (8.8%) whose COA was incorrectly reported to COD. Recommendation We recommend the College review current processes and implement updated processes and controls for reporting to COD, implementing procedures to ensure reporting to COD is accurate. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-005
2024-005—Disbursements to or on Behalf of Students (Credit Balances) U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Pell Grant Program (84.063) Federal Work Study (84.033) Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (34 CFR 668.164(h)(2)) requires that Title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than (i) Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or (ii) Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition The College did not pay the Title IV credit balance to the student directly for one student within the required timeline noted above. Out of the 40 students tested, we noted one student (2.5%) who’s credit balance was not paid directly to the student within the required timeframe noted above. The incorrect timing did not have an effect on the total award given to students (timing only). The College did not have formally documented controls related to the process associated with disbursements to or on behalf of students (credit balances), which is required under Uniform Grant Guidance. Cause A refund to the student was required to be made within the required timeframe, and was done outside the required timeframe. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Questioned costs There were no questioned costs with respect to this finding. Context We tested 40 students who had a credit balance of Title IV funds during the fiscal year ended June 30, 2024. For each student tested, management provided documentation from their student information system, showing the when the student was in a credit balance, and when the credit balance was disbursed to the student. Out of the 40 students tested, we noted 1 student (2.5%) whose credit balance was not timely refunded. The student had a credit balance as of March 19, 2024, and the student’s credit balance was refunded to the student on April 23, 2024. Recommendation We recommend the College review current processes and implement updated processes and controls for timely student credit balance refunds. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-002
2024-002—Late submission of the Single Audit to the Federal Auditing Clearinghouse U.S. Department of Education Student Financial Assistance Programs Cluster TRIO Cluster Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.512(a)) requires that each organization’s audit must be completed and the data collection form and reporting package should be submitted within the earlier of 30 days after receipt of the auditor’s report or nine months after the end of the audit period. Condition The Single Audit package for the College’s fiscal year ended June 30, 2024 should have been submitted to the Federal Audit Clearinghouse by March 31, 2024. The College’s fiscal year 2024 Single Audit package was not submitted to the Federal Audit Clearinghouse within the required time frame. Cause This was due to staffing constraints at the College as well as the implementation of several new systems which impacted the College’s delivery of final trial balances and requested workpapers at the scheduled time of the audit. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Context As of the date of issuance of the single audit report (which is subsequent to the College’s deadline of March 31, 2024), the single audit report was not issued within the required deadline. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend that the College review current processes and controls in place in order to ensure that future submissions are reported timely. Views of responsible officials Management agrees with this finding. See corrective action plan.
Finding 2024-002
2024-002—Late submission of the Single Audit to the Federal Auditing Clearinghouse U.S. Department of Education Student Financial Assistance Programs Cluster TRIO Cluster Federal Award Year: 2023-2024 Repeat Finding: No Criteria The Code of Federal Regulations (2 CFR 200.512(a)) requires that each organization’s audit must be completed and the data collection form and reporting package should be submitted within the earlier of 30 days after receipt of the auditor’s report or nine months after the end of the audit period. Condition The Single Audit package for the College’s fiscal year ended June 30, 2024 should have been submitted to the Federal Audit Clearinghouse by March 31, 2024. The College’s fiscal year 2024 Single Audit package was not submitted to the Federal Audit Clearinghouse within the required time frame. Cause This was due to staffing constraints at the College as well as the implementation of several new systems which impacted the College’s delivery of final trial balances and requested workpapers at the scheduled time of the audit. Effect Noncompliance with federal regulations could result in the loss of future federal funding. Context As of the date of issuance of the single audit report (which is subsequent to the College’s deadline of March 31, 2024), the single audit report was not issued within the required deadline. Questioned costs There were no questioned costs with respect to this finding. Recommendation We recommend that the College review current processes and controls in place in order to ensure that future submissions are reported timely. Views of responsible officials Management agrees with this finding. See corrective action plan.