Finding FA 2024-001: Special Tests and Provisions: Enrollment Reporting: Inaccurate Enrollment
Effective Date Reported in the Campus-Level Record Data of the National Student Loan Data System
(NSLDS)
Federal Program Information:
Assistance Listing Number: ALN 84.063, 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Pell Grant Program, Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P063P210036, P268K220036
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles Valley College
Compliance Requirement: Special Tests and Provisions – Enrollment Reporting
Criteria or Specific Requirement:
Per the Compliance Supplement, Enrollment Reporting – Compliance Requirements: The administration of the
Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by
institutions. Institutions must review, update, and certify student enrollment statuses, program information, and
effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of
the NSLDS Professional Access (NSLDSFAP) website which the financial aid administrator can access for the
auditor. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what
NSLDS has as the most recently certified enrollment. There are two categories of enrollment information,
“Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record
types.
Institutions are responsible for accurately reporting all Campus-Level Record data elements. ED considers the following data elements to be high risk: OPEID Number, Enrollment Effective Date, Enrollment Status and
Certification Date.
Institutions are responsible for accurately reporting all Program-Level Record data elements. ED considers the
following data elements to be high risk: OPEID Number, CIP Code, Credential Level, Published Program
Length Measurement, Published Program Length, Program Begin Date, Program Enrollment Status, and
Program Enrollment Effective Date.
Identified Condition:
Of the 20 students selected for testwork at Los Angeles Valley College, we noted 1 student that had an
enrollment status change from half-time to three-quarter time that was inaccurately recorded in the
“Campus -Level Record” data section in the NSLDS. While the District correctly reported the program
enrollment effective date as 7/14/2024 in the “Program-Level Record” data section of the NSLDS, the
enrollment effective date was inaccurately reported as 7/23/2024 in the “Campus-Level Record” data section in
the NSLDS.
Cause and Effect:
The PeopleSoft enrollment reporting system, as delivered, did not provide a student status effective date (SSD)
in cases of a change in student level load and National Student Clearinghouse (NSC) documentation states
that provision of the SSD is not required. However, this condition contributed to a high volume of reporting
errors, requiring manual error correction by the District’s college staff. To address this issue, the District
developed a programming modification to automatically provide a date in the system for instances of a change
in the student academic load. The date provided in the system, based on the NSC submission calendar, was
the day prior to the file generation date (the day before the “As of Date” on the NSC submission calendar). This
modification can, in some circumstances, lead to misalignment of student status effective date reported to the
NSC and the effective date of the academic load change in the PeopleSoft student information system.
Questioned Costs:
Not applicable.
Finding FA 2024-001: Special Tests and Provisions: Enrollment Reporting: Inaccurate Enrollment
Effective Date Reported in the Campus-Level Record Data of the National Student Loan Data System
(NSLDS)
Federal Program Information:
Assistance Listing Number: ALN 84.063, 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Pell Grant Program, Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P063P210036, P268K220036
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles Valley College
Compliance Requirement: Special Tests and Provisions – Enrollment Reporting
Criteria or Specific Requirement:
Per the Compliance Supplement, Enrollment Reporting – Compliance Requirements: The administration of the
Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by
institutions. Institutions must review, update, and certify student enrollment statuses, program information, and
effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of
the NSLDS Professional Access (NSLDSFAP) website which the financial aid administrator can access for the
auditor. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what
NSLDS has as the most recently certified enrollment. There are two categories of enrollment information,
“Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record
types.
Institutions are responsible for accurately reporting all Campus-Level Record data elements. ED considers the following data elements to be high risk: OPEID Number, Enrollment Effective Date, Enrollment Status and
Certification Date.
Institutions are responsible for accurately reporting all Program-Level Record data elements. ED considers the
following data elements to be high risk: OPEID Number, CIP Code, Credential Level, Published Program
Length Measurement, Published Program Length, Program Begin Date, Program Enrollment Status, and
Program Enrollment Effective Date.
Identified Condition:
Of the 20 students selected for testwork at Los Angeles Valley College, we noted 1 student that had an
enrollment status change from half-time to three-quarter time that was inaccurately recorded in the
“Campus -Level Record” data section in the NSLDS. While the District correctly reported the program
enrollment effective date as 7/14/2024 in the “Program-Level Record” data section of the NSLDS, the
enrollment effective date was inaccurately reported as 7/23/2024 in the “Campus-Level Record” data section in
the NSLDS.
Cause and Effect:
The PeopleSoft enrollment reporting system, as delivered, did not provide a student status effective date (SSD)
in cases of a change in student level load and National Student Clearinghouse (NSC) documentation states
that provision of the SSD is not required. However, this condition contributed to a high volume of reporting
errors, requiring manual error correction by the District’s college staff. To address this issue, the District
developed a programming modification to automatically provide a date in the system for instances of a change
in the student academic load. The date provided in the system, based on the NSC submission calendar, was
the day prior to the file generation date (the day before the “As of Date” on the NSC submission calendar). This
modification can, in some circumstances, lead to misalignment of student status effective date reported to the
NSC and the effective date of the academic load change in the PeopleSoft student information system.
Questioned Costs:
Not applicable.
Finding FA 2024-002: Special Tests and Provisions: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds; and Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP) (Repeat Finding)
Federal Program Information:
Assistance Listing Number: ALN 84.063 and 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Pell Grant Program
Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P063P210033; P063P215263; P063P210034; P063P210658;
P063P210035; P063P215261; P063P215260; P063P210036;
P063P215262; P268K220033; P268K225263; P268K220034;
P268K220658; P268K220035; P268K225261; P268K225260;
P268K220036; P268K225262
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles City College (Repeat Finding)
East Los Angeles College (Repeat Finding)
Los Angeles Harbor College (Repeat Finding)
Los Angeles Mission College (Repeat Finding)
Los Angeles Pierce College (Repeat Finding)
Los Angeles Southwest College (Repeat Finding)
Los Angeles Trade Technical College (Repeat Finding)
Los Angeles Valley College (Repeat Finding)
West Los Angeles College (Repeat Finding)
Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds
Criteria or Specific Requirement:
Per 34 Code of Federal Regulations:
34 CFR 668.22(a) When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement.
34 CFR 668.22(b) Withdrawal date for a student who withdraws from an institution that is required to take attendance: “(1).the student’s withdrawal date is the last date of academic attendance as determined by theinstitution from its attendance records. (2) An institution must document a student’s withdrawal date and maintain the documentation as of the date of the institution’s determination that the student withdrew.”
34 CFR668.22 (c) Withdrawal date for a student who withdraws from an institution that is not required to take attendance.) “(1)..a student who ceases attendance at an institution that is not required to take attendance, the student’s withdrawal date is – (i) The date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (ii) The date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (iii) If the student ceases attendance without providing official notification to the institution of his or her withdrawal in accordance with paragraph (c)(1)(i) or (c)(1)(ii) of this section, the
mid-point of the payment period (or period of enrollment, if applicable); (iv) If the institution determines that a student did not begin the institution’s withdrawal process or otherwise provide official notification (including notice from an individual acting on the student’s behalf) to the institution of his or her intent to withdraw because of illness, accident, grievous personal loss, or other such circumstances beyond the student’s control, the date that the institution determines is related to that circumstance; (v) If a student does not return from an approved leave of absence as defined in paragraph (d) of this section, the date that the institution determines the student began the leave of absence; or (vi) If a student takes a leave of
absence that does not meet the requirements of paragraph (d) of this section, the date that the student began the leave of absence. (2) An institution that is not required to take attendance may use as the student’s withdrawal date a student’s last date of attendance at an academically related activity provided that the institution documents that the activity is academically related and documents the student’s attendance at the activity. (3) An institution must document a student’s withdrawal date and maintain the documentation as of the date of the institution’s determination that the student withdrew.
Per OMB Compliance Supplement:
Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or
initiating contact with a faculty member to ask a course-related question. Per the Department of Education’s Program Integrity Q&As for Return of Title IV Funds: An Institution that is required to take attendance: An institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory
activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or
2. Is used to administratively withdraw students or to enforce an institutional attendance policy.
Identified Condition:
A. Incorrect Calculation of Return of Title IV Funds
Los Angeles Harbor College
B. Distance Education (DE) Courses – Implementation of Formal Process to
Determine Accuracy of Student Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP)
Los Angeles City College
East Los Angeles College
Los Angeles Harbor College
Los Angeles Mission College
Los Angeles Pierce College
Los Angeles Southwest College
Los Angeles Trade Technical College
Los Angeles Valley College
West Los Angeles College
Description
A. Incorrect Calculation of Return of Title IV Funds
Los Angeles Harbor College
We noted 2 of 20 students selected for return to Title IV funds testwork from the population of students who had withdrawn, dropped out, or never began attendance for Fall 2023 that had an incorrect calculation of return of Title IV amounts. The students had a reduction in eligible Title IV grant aid for $1,335 and $2,304, respectively, but the District did not recalculate the student and campus return of Title IV amounts based on
the updated eligible Title IV grant aid amount. For these 2 students, such error resulted in:
• 1 student with an understatement of institutional return of $119 and an understatement of student
return of $104. The effect of the understatement did not result in questioned costs due to grant
protection.
• 1 student with an understatement of student return of $230 after the grant protection is applied.
B. Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP)
In assessing the District's CAP for prior year finding FA 2023-002, we noted that during Fall 2023, the District implemented a formal process to monitor a student's active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of a student's withdrawal date in the Student Information System (SIS). There are two types of withdrawals for DE courses: student-initiated withdrawals and instructor-initiated withdrawals. For student-initiated withdrawals, the withdrawal date used in the calculation of return of Title IV funds is the date the student initiates the withdrawal from the course in the system. For instructorinitiated withdrawals, the District implemented formal procedures beginning in Fall 2023 whereby the instructor is responsible for reviewing student rosters for DE courses at scheduled intervals (census roster date, exclusion roster date, and active enrollment roster date) throughout the term. At these scheduled interval dates, the instructor must initiate a withdrawal for a student who is deemed to no longer be academically engaged, as determined by the instructor. Additionally, the District's Internal Audit Department began conducting reviews of the instructor's data entry related to student withdrawal dates for DE courses into the SIS beginning in November 2023. During the current year, the Internal Audit Department conducted 10 independent reviews related to instructor-initiated withdrawals in order to assess the accuracy of the student withdrawal dates within the SIS after implementation of the new process. The results of such reviews identified numerous and various exceptions such as unmatched withdrawal dates between the Canvas Learning Management System (Canvas) and SIS, missing participation dates in Canvas for students re-added to course history, and instances where the last date of student participation could not be determined within the Canvas.
Cause and Effect:
A. Incorrect Calculation of Return of Title IV Funds
Los Angeles Harbor College
The Financial Aid Senior Accounting Technician who processed the Fall 2023 return to Title IV (R2T4) calculations had an oversight on clicking the save button to update the SIS R2T4 worksheet for these 2 students. The calculations and review of the R2T4 batch were accurate, but the worksheets E, F, and G award updates were not saved in the SIS, which caused the calculations to be slightly off.
B. Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student
Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP)
Despite the best efforts of the District office to implement the active enrollment roster as well as messaging to faculty with the requirement to complete the active enrollment roster and post the students last date of attendance, internal review demonstrated that additional actions must be taken to improve compliance. The SIS is used to maintain student records and for administering aid. Incorrect information in the SIS can lead
to an incorrect return of Title IV funds calculation. Without a process to determine accuracy of student withdrawal dates, there is a risk of incorrect return of Title IV calculations.
Questioned Costs:
A. Incorrect Calculation of Return of Title IV Funds - see schedule of findings and questioned costs.
B. Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student
Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP) - Not applicable.
Finding FA 2024-002: Special Tests and Provisions: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds; and Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP) (Repeat Finding)
Federal Program Information:
Assistance Listing Number: ALN 84.063 and 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Pell Grant Program
Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P063P210033; P063P215263; P063P210034; P063P210658;
P063P210035; P063P215261; P063P215260; P063P210036;
P063P215262; P268K220033; P268K225263; P268K220034;
P268K220658; P268K220035; P268K225261; P268K225260;
P268K220036; P268K225262
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles City College (Repeat Finding)
East Los Angeles College (Repeat Finding)
Los Angeles Harbor College (Repeat Finding)
Los Angeles Mission College (Repeat Finding)
Los Angeles Pierce College (Repeat Finding)
Los Angeles Southwest College (Repeat Finding)
Los Angeles Trade Technical College (Repeat Finding)
Los Angeles Valley College (Repeat Finding)
West Los Angeles College (Repeat Finding)
Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds
Criteria or Specific Requirement:
Per 34 Code of Federal Regulations:
34 CFR 668.22(a) When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement.
34 CFR 668.22(b) Withdrawal date for a student who withdraws from an institution that is required to take attendance: “(1).the student’s withdrawal date is the last date of academic attendance as determined by theinstitution from its attendance records. (2) An institution must document a student’s withdrawal date and maintain the documentation as of the date of the institution’s determination that the student withdrew.”
34 CFR668.22 (c) Withdrawal date for a student who withdraws from an institution that is not required to take attendance.) “(1)..a student who ceases attendance at an institution that is not required to take attendance, the student’s withdrawal date is – (i) The date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (ii) The date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (iii) If the student ceases attendance without providing official notification to the institution of his or her withdrawal in accordance with paragraph (c)(1)(i) or (c)(1)(ii) of this section, the
mid-point of the payment period (or period of enrollment, if applicable); (iv) If the institution determines that a student did not begin the institution’s withdrawal process or otherwise provide official notification (including notice from an individual acting on the student’s behalf) to the institution of his or her intent to withdraw because of illness, accident, grievous personal loss, or other such circumstances beyond the student’s control, the date that the institution determines is related to that circumstance; (v) If a student does not return from an approved leave of absence as defined in paragraph (d) of this section, the date that the institution determines the student began the leave of absence; or (vi) If a student takes a leave of
absence that does not meet the requirements of paragraph (d) of this section, the date that the student began the leave of absence. (2) An institution that is not required to take attendance may use as the student’s withdrawal date a student’s last date of attendance at an academically related activity provided that the institution documents that the activity is academically related and documents the student’s attendance at the activity. (3) An institution must document a student’s withdrawal date and maintain the documentation as of the date of the institution’s determination that the student withdrew.
Per OMB Compliance Supplement:
Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or
initiating contact with a faculty member to ask a course-related question. Per the Department of Education’s Program Integrity Q&As for Return of Title IV Funds: An Institution that is required to take attendance: An institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory
activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or
2. Is used to administratively withdraw students or to enforce an institutional attendance policy.
Identified Condition:
A. Incorrect Calculation of Return of Title IV Funds
Los Angeles Harbor College
B. Distance Education (DE) Courses – Implementation of Formal Process to
Determine Accuracy of Student Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP)
Los Angeles City College
East Los Angeles College
Los Angeles Harbor College
Los Angeles Mission College
Los Angeles Pierce College
Los Angeles Southwest College
Los Angeles Trade Technical College
Los Angeles Valley College
West Los Angeles College
Description
A. Incorrect Calculation of Return of Title IV Funds
Los Angeles Harbor College
We noted 2 of 20 students selected for return to Title IV funds testwork from the population of students who had withdrawn, dropped out, or never began attendance for Fall 2023 that had an incorrect calculation of return of Title IV amounts. The students had a reduction in eligible Title IV grant aid for $1,335 and $2,304, respectively, but the District did not recalculate the student and campus return of Title IV amounts based on
the updated eligible Title IV grant aid amount. For these 2 students, such error resulted in:
• 1 student with an understatement of institutional return of $119 and an understatement of student
return of $104. The effect of the understatement did not result in questioned costs due to grant
protection.
• 1 student with an understatement of student return of $230 after the grant protection is applied.
B. Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP)
In assessing the District's CAP for prior year finding FA 2023-002, we noted that during Fall 2023, the District implemented a formal process to monitor a student's active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of a student's withdrawal date in the Student Information System (SIS). There are two types of withdrawals for DE courses: student-initiated withdrawals and instructor-initiated withdrawals. For student-initiated withdrawals, the withdrawal date used in the calculation of return of Title IV funds is the date the student initiates the withdrawal from the course in the system. For instructorinitiated withdrawals, the District implemented formal procedures beginning in Fall 2023 whereby the instructor is responsible for reviewing student rosters for DE courses at scheduled intervals (census roster date, exclusion roster date, and active enrollment roster date) throughout the term. At these scheduled interval dates, the instructor must initiate a withdrawal for a student who is deemed to no longer be academically engaged, as determined by the instructor. Additionally, the District's Internal Audit Department began conducting reviews of the instructor's data entry related to student withdrawal dates for DE courses into the SIS beginning in November 2023. During the current year, the Internal Audit Department conducted 10 independent reviews related to instructor-initiated withdrawals in order to assess the accuracy of the student withdrawal dates within the SIS after implementation of the new process. The results of such reviews identified numerous and various exceptions such as unmatched withdrawal dates between the Canvas Learning Management System (Canvas) and SIS, missing participation dates in Canvas for students re-added to course history, and instances where the last date of student participation could not be determined within the Canvas.
Cause and Effect:
A. Incorrect Calculation of Return of Title IV Funds
Los Angeles Harbor College
The Financial Aid Senior Accounting Technician who processed the Fall 2023 return to Title IV (R2T4) calculations had an oversight on clicking the save button to update the SIS R2T4 worksheet for these 2 students. The calculations and review of the R2T4 batch were accurate, but the worksheets E, F, and G award updates were not saved in the SIS, which caused the calculations to be slightly off.
B. Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student
Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP)
Despite the best efforts of the District office to implement the active enrollment roster as well as messaging to faculty with the requirement to complete the active enrollment roster and post the students last date of attendance, internal review demonstrated that additional actions must be taken to improve compliance. The SIS is used to maintain student records and for administering aid. Incorrect information in the SIS can lead
to an incorrect return of Title IV funds calculation. Without a process to determine accuracy of student withdrawal dates, there is a risk of incorrect return of Title IV calculations.
Questioned Costs:
A. Incorrect Calculation of Return of Title IV Funds - see schedule of findings and questioned costs.
B. Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student
Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP) - Not applicable.
Finding FA 2024-003: Special Tests and Provisions – Gramm-Leach-Bliley Act (GLBA) - Student
Information Security: Perform Timely Access Revocation and Strengthen User Access Reviews;
Maintain and Review Logs of Users’ Activity for both SAP and PeopleSoft Student Information System
(PS SIS); and Implement Data-at-Rest Encryption for SAP and PS SIS
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.003, 84.063, 84.268, 93.364
Federal Program Name: Student Financial Assistance Cluster
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: Various
Federal Award Year: July 1, 2023, to June 30, 2024
Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student
Information Security
Criteria or Specific Requirement:
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program
that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “the elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program –
• Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)).
• Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in
the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)).
• Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16
CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows:
– Implement and periodically review access controls.
– Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
– Encrypt customer information on the institution’s system and when it’s in transit.
– Assess apps developed by the institution
– Implement multi-factor authentication for anyone accessing customer information on the institution’s system
– Dispose of customer information securely
– Anticipate and evaluate changes to the information system or network.
– Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
• Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards
it has implemented (16 CFR 314.4(d)).
• Provides for the implementation of policies and procedures to ensure that personnel are able to
enact the information security program (16 CFR 314.4(e)(1)).
• Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)).
• Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it
knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate
responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as the Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must:
• Retain responsibility for compliance with GLBA;
• Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and
• Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3).
Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, it is ED’s
expectation that the Qualified Individual would be able to provide the written information security program that
addresses the elements required for the written information security program to the auditors.
Identified Condition:
A. Perform Timely Access Revocation and Strengthen User Access Reviews (Repeat finding)
Based on test of controls to verify that access of terminated employees is timely removed in PS SIS, SAP and Active Directory (AD), we noted that out of the terminated employees subject for testing:
1. 17 users were still active in PS SIS, 10 of whom have logged in after their termination.
2. 27 users were still active in SAP, nine (9) of whom have logged in after their termination.
3. 45 users were active in AD, 20 of whom have logged in after their termination.
Moreover, while a privileged user access review is performed for PS SIS, SAP and AD, there is no review performed to check the validity of regular users for these systems. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS (Repeat finding)
A compliance requirement that requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District.
C. Implement Data-at-Rest Encryption for SAP and PS SIS Servers (Repeat finding)
Drive-level encryption is implemented and observed for a sample workstation that processes customer information. However, encryption mechanisms are not currently implemented for SAP and PS SIS servers. Compliance requirement 16 CFR 314.4(c)(3) requires institutions to protect by encryption all students’ data held at rest.
Cause and Effect:
A. Perform Timely Access Revocation and Strengthen User Access Reviews
Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the lack of user access reviews for regular users increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS
Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner.
C. Implement Data-at-Rest encryption for SAP and PS SIS Servers
Data that is held to servers without encryption is vulnerable to unauthorized access specially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed.
Finding FA 2024-003: Special Tests and Provisions – Gramm-Leach-Bliley Act (GLBA) - Student
Information Security: Perform Timely Access Revocation and Strengthen User Access Reviews;
Maintain and Review Logs of Users’ Activity for both SAP and PeopleSoft Student Information System
(PS SIS); and Implement Data-at-Rest Encryption for SAP and PS SIS
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.003, 84.063, 84.268, 93.364
Federal Program Name: Student Financial Assistance Cluster
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: Various
Federal Award Year: July 1, 2023, to June 30, 2024
Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student
Information Security
Criteria or Specific Requirement:
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program
that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “the elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program –
• Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)).
• Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in
the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)).
• Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16
CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows:
– Implement and periodically review access controls.
– Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
– Encrypt customer information on the institution’s system and when it’s in transit.
– Assess apps developed by the institution
– Implement multi-factor authentication for anyone accessing customer information on the institution’s system
– Dispose of customer information securely
– Anticipate and evaluate changes to the information system or network.
– Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
• Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards
it has implemented (16 CFR 314.4(d)).
• Provides for the implementation of policies and procedures to ensure that personnel are able to
enact the information security program (16 CFR 314.4(e)(1)).
• Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)).
• Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it
knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate
responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as the Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must:
• Retain responsibility for compliance with GLBA;
• Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and
• Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3).
Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, it is ED’s
expectation that the Qualified Individual would be able to provide the written information security program that
addresses the elements required for the written information security program to the auditors.
Identified Condition:
A. Perform Timely Access Revocation and Strengthen User Access Reviews (Repeat finding)
Based on test of controls to verify that access of terminated employees is timely removed in PS SIS, SAP and Active Directory (AD), we noted that out of the terminated employees subject for testing:
1. 17 users were still active in PS SIS, 10 of whom have logged in after their termination.
2. 27 users were still active in SAP, nine (9) of whom have logged in after their termination.
3. 45 users were active in AD, 20 of whom have logged in after their termination.
Moreover, while a privileged user access review is performed for PS SIS, SAP and AD, there is no review performed to check the validity of regular users for these systems. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS (Repeat finding)
A compliance requirement that requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District.
C. Implement Data-at-Rest Encryption for SAP and PS SIS Servers (Repeat finding)
Drive-level encryption is implemented and observed for a sample workstation that processes customer information. However, encryption mechanisms are not currently implemented for SAP and PS SIS servers. Compliance requirement 16 CFR 314.4(c)(3) requires institutions to protect by encryption all students’ data held at rest.
Cause and Effect:
A. Perform Timely Access Revocation and Strengthen User Access Reviews
Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the lack of user access reviews for regular users increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS
Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner.
C. Implement Data-at-Rest encryption for SAP and PS SIS Servers
Data that is held to servers without encryption is vulnerable to unauthorized access specially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed.
Finding FA 2024-003: Special Tests and Provisions – Gramm-Leach-Bliley Act (GLBA) - Student
Information Security: Perform Timely Access Revocation and Strengthen User Access Reviews;
Maintain and Review Logs of Users’ Activity for both SAP and PeopleSoft Student Information System
(PS SIS); and Implement Data-at-Rest Encryption for SAP and PS SIS
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.003, 84.063, 84.268, 93.364
Federal Program Name: Student Financial Assistance Cluster
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: Various
Federal Award Year: July 1, 2023, to June 30, 2024
Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student
Information Security
Criteria or Specific Requirement:
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program
that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “the elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program –
• Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)).
• Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in
the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)).
• Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16
CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows:
– Implement and periodically review access controls.
– Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
– Encrypt customer information on the institution’s system and when it’s in transit.
– Assess apps developed by the institution
– Implement multi-factor authentication for anyone accessing customer information on the institution’s system
– Dispose of customer information securely
– Anticipate and evaluate changes to the information system or network.
– Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
• Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards
it has implemented (16 CFR 314.4(d)).
• Provides for the implementation of policies and procedures to ensure that personnel are able to
enact the information security program (16 CFR 314.4(e)(1)).
• Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)).
• Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it
knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate
responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as the Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must:
• Retain responsibility for compliance with GLBA;
• Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and
• Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3).
Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, it is ED’s
expectation that the Qualified Individual would be able to provide the written information security program that
addresses the elements required for the written information security program to the auditors.
Identified Condition:
A. Perform Timely Access Revocation and Strengthen User Access Reviews (Repeat finding)
Based on test of controls to verify that access of terminated employees is timely removed in PS SIS, SAP and Active Directory (AD), we noted that out of the terminated employees subject for testing:
1. 17 users were still active in PS SIS, 10 of whom have logged in after their termination.
2. 27 users were still active in SAP, nine (9) of whom have logged in after their termination.
3. 45 users were active in AD, 20 of whom have logged in after their termination.
Moreover, while a privileged user access review is performed for PS SIS, SAP and AD, there is no review performed to check the validity of regular users for these systems. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS (Repeat finding)
A compliance requirement that requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District.
C. Implement Data-at-Rest Encryption for SAP and PS SIS Servers (Repeat finding)
Drive-level encryption is implemented and observed for a sample workstation that processes customer information. However, encryption mechanisms are not currently implemented for SAP and PS SIS servers. Compliance requirement 16 CFR 314.4(c)(3) requires institutions to protect by encryption all students’ data held at rest.
Cause and Effect:
A. Perform Timely Access Revocation and Strengthen User Access Reviews
Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the lack of user access reviews for regular users increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS
Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner.
C. Implement Data-at-Rest encryption for SAP and PS SIS Servers
Data that is held to servers without encryption is vulnerable to unauthorized access specially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed.
Finding FA 2024-003: Special Tests and Provisions – Gramm-Leach-Bliley Act (GLBA) - Student
Information Security: Perform Timely Access Revocation and Strengthen User Access Reviews;
Maintain and Review Logs of Users’ Activity for both SAP and PeopleSoft Student Information System
(PS SIS); and Implement Data-at-Rest Encryption for SAP and PS SIS
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.003, 84.063, 84.268, 93.364
Federal Program Name: Student Financial Assistance Cluster
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: Various
Federal Award Year: July 1, 2023, to June 30, 2024
Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student
Information Security
Criteria or Specific Requirement:
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program
that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “the elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program –
• Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)).
• Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in
the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)).
• Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16
CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows:
– Implement and periodically review access controls.
– Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
– Encrypt customer information on the institution’s system and when it’s in transit.
– Assess apps developed by the institution
– Implement multi-factor authentication for anyone accessing customer information on the institution’s system
– Dispose of customer information securely
– Anticipate and evaluate changes to the information system or network.
– Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
• Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards
it has implemented (16 CFR 314.4(d)).
• Provides for the implementation of policies and procedures to ensure that personnel are able to
enact the information security program (16 CFR 314.4(e)(1)).
• Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)).
• Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it
knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate
responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as the Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must:
• Retain responsibility for compliance with GLBA;
• Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and
• Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3).
Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, it is ED’s
expectation that the Qualified Individual would be able to provide the written information security program that
addresses the elements required for the written information security program to the auditors.
Identified Condition:
A. Perform Timely Access Revocation and Strengthen User Access Reviews (Repeat finding)
Based on test of controls to verify that access of terminated employees is timely removed in PS SIS, SAP and Active Directory (AD), we noted that out of the terminated employees subject for testing:
1. 17 users were still active in PS SIS, 10 of whom have logged in after their termination.
2. 27 users were still active in SAP, nine (9) of whom have logged in after their termination.
3. 45 users were active in AD, 20 of whom have logged in after their termination.
Moreover, while a privileged user access review is performed for PS SIS, SAP and AD, there is no review performed to check the validity of regular users for these systems. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS (Repeat finding)
A compliance requirement that requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District.
C. Implement Data-at-Rest Encryption for SAP and PS SIS Servers (Repeat finding)
Drive-level encryption is implemented and observed for a sample workstation that processes customer information. However, encryption mechanisms are not currently implemented for SAP and PS SIS servers. Compliance requirement 16 CFR 314.4(c)(3) requires institutions to protect by encryption all students’ data held at rest.
Cause and Effect:
A. Perform Timely Access Revocation and Strengthen User Access Reviews
Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the lack of user access reviews for regular users increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS
Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner.
C. Implement Data-at-Rest encryption for SAP and PS SIS Servers
Data that is held to servers without encryption is vulnerable to unauthorized access specially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed.
Finding FA 2024-004: Special Tests and Provisions – Verification: Late Reporting of Verification Results
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Supplement Educational Opportunity Grants (FSEOG),
Federal Work Study Program, Federal Pell Grant Program,
Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P007A210457, P033A210457, P063P210036, P268K220036
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles Harbor College
Los Angeles Trade Technical College
Los Angeles Valley College
Compliance Requirement: Special Tests and Provisions – Verification
Criteria or Specific Requirement:
Per Application and Verification Guide of 2023-2024 Federal Student Aid Handbook, Chapter 4, Title Verification, Updates, and Corrections, the institution must report the verification results of identity for any student for whom the institution (1) receives an ISIR with tracking flag V4 or V5-as selected by the Central Processing System (CPS), and (2) request verification documentation. The institution reports this information
on the FAA Access to CPS Online website. For the 2023–2024 award year, the institution will then enter one of the following numeric codes that most applies:
Code 1 – Verification completed in person, no issues found
Code 2 – Verification completed remotely, no issues found
Code 3 – Verification attempted; issues found with identity.
Code 5 – No response from applicant or unable to locate
The institution is required to report results no more than 60 days following the first request to the student for documentation of identity. Inaccurate and untimely reporting may subject the institution to findings because of the annual compliance audit or a program review. If there is a change in a result the institution has already submitted, the institution can submit the new code using the above process and must make that change within
30 days of becoming aware that a change occurred. The most recent submission will supplant prior award year submissions. Because the Financial Aid Administrator (FAA) Access website does not store a list of these verification results for the institution to retrieve, ED recommends the institution to print and keep the confirmation page for its records.
Identified Condition:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Of the 60 students selected for verification test work, we noted 10 students with verification codes (tracking flags) V4 and V5 whose files were reviewed and verification results submitted to CPS beyond the required 60-day timeframe following the campuses’ initial request to the student for identity documentation. See schedule of identified condition.
Cause and Effect:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Due to many unexpected FAFSA Simplification rollout issues for FY 2024-25, the Financial Aid Technicians could not start reviewing 2023-24 files until late into the summer term, and V4/V5 verification data was not reported until after file review had begun.
Questioned Costs:
Not applicable.
Finding FA 2024-004: Special Tests and Provisions – Verification: Late Reporting of Verification Results
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Supplement Educational Opportunity Grants (FSEOG),
Federal Work Study Program, Federal Pell Grant Program,
Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P007A210457, P033A210457, P063P210036, P268K220036
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles Harbor College
Los Angeles Trade Technical College
Los Angeles Valley College
Compliance Requirement: Special Tests and Provisions – Verification
Criteria or Specific Requirement:
Per Application and Verification Guide of 2023-2024 Federal Student Aid Handbook, Chapter 4, Title Verification, Updates, and Corrections, the institution must report the verification results of identity for any student for whom the institution (1) receives an ISIR with tracking flag V4 or V5-as selected by the Central Processing System (CPS), and (2) request verification documentation. The institution reports this information
on the FAA Access to CPS Online website. For the 2023–2024 award year, the institution will then enter one of the following numeric codes that most applies:
Code 1 – Verification completed in person, no issues found
Code 2 – Verification completed remotely, no issues found
Code 3 – Verification attempted; issues found with identity.
Code 5 – No response from applicant or unable to locate
The institution is required to report results no more than 60 days following the first request to the student for documentation of identity. Inaccurate and untimely reporting may subject the institution to findings because of the annual compliance audit or a program review. If there is a change in a result the institution has already submitted, the institution can submit the new code using the above process and must make that change within
30 days of becoming aware that a change occurred. The most recent submission will supplant prior award year submissions. Because the Financial Aid Administrator (FAA) Access website does not store a list of these verification results for the institution to retrieve, ED recommends the institution to print and keep the confirmation page for its records.
Identified Condition:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Of the 60 students selected for verification test work, we noted 10 students with verification codes (tracking flags) V4 and V5 whose files were reviewed and verification results submitted to CPS beyond the required 60-day timeframe following the campuses’ initial request to the student for identity documentation. See schedule of identified condition.
Cause and Effect:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Due to many unexpected FAFSA Simplification rollout issues for FY 2024-25, the Financial Aid Technicians could not start reviewing 2023-24 files until late into the summer term, and V4/V5 verification data was not reported until after file review had begun.
Questioned Costs:
Not applicable.
Finding FA 2024-004: Special Tests and Provisions – Verification: Late Reporting of Verification Results
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Supplement Educational Opportunity Grants (FSEOG),
Federal Work Study Program, Federal Pell Grant Program,
Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P007A210457, P033A210457, P063P210036, P268K220036
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles Harbor College
Los Angeles Trade Technical College
Los Angeles Valley College
Compliance Requirement: Special Tests and Provisions – Verification
Criteria or Specific Requirement:
Per Application and Verification Guide of 2023-2024 Federal Student Aid Handbook, Chapter 4, Title Verification, Updates, and Corrections, the institution must report the verification results of identity for any student for whom the institution (1) receives an ISIR with tracking flag V4 or V5-as selected by the Central Processing System (CPS), and (2) request verification documentation. The institution reports this information
on the FAA Access to CPS Online website. For the 2023–2024 award year, the institution will then enter one of the following numeric codes that most applies:
Code 1 – Verification completed in person, no issues found
Code 2 – Verification completed remotely, no issues found
Code 3 – Verification attempted; issues found with identity.
Code 5 – No response from applicant or unable to locate
The institution is required to report results no more than 60 days following the first request to the student for documentation of identity. Inaccurate and untimely reporting may subject the institution to findings because of the annual compliance audit or a program review. If there is a change in a result the institution has already submitted, the institution can submit the new code using the above process and must make that change within
30 days of becoming aware that a change occurred. The most recent submission will supplant prior award year submissions. Because the Financial Aid Administrator (FAA) Access website does not store a list of these verification results for the institution to retrieve, ED recommends the institution to print and keep the confirmation page for its records.
Identified Condition:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Of the 60 students selected for verification test work, we noted 10 students with verification codes (tracking flags) V4 and V5 whose files were reviewed and verification results submitted to CPS beyond the required 60-day timeframe following the campuses’ initial request to the student for identity documentation. See schedule of identified condition.
Cause and Effect:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Due to many unexpected FAFSA Simplification rollout issues for FY 2024-25, the Financial Aid Technicians could not start reviewing 2023-24 files until late into the summer term, and V4/V5 verification data was not reported until after file review had begun.
Questioned Costs:
Not applicable.
Finding FA 2024-004: Special Tests and Provisions – Verification: Late Reporting of Verification Results
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Supplement Educational Opportunity Grants (FSEOG),
Federal Work Study Program, Federal Pell Grant Program,
Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P007A210457, P033A210457, P063P210036, P268K220036
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles Harbor College
Los Angeles Trade Technical College
Los Angeles Valley College
Compliance Requirement: Special Tests and Provisions – Verification
Criteria or Specific Requirement:
Per Application and Verification Guide of 2023-2024 Federal Student Aid Handbook, Chapter 4, Title Verification, Updates, and Corrections, the institution must report the verification results of identity for any student for whom the institution (1) receives an ISIR with tracking flag V4 or V5-as selected by the Central Processing System (CPS), and (2) request verification documentation. The institution reports this information
on the FAA Access to CPS Online website. For the 2023–2024 award year, the institution will then enter one of the following numeric codes that most applies:
Code 1 – Verification completed in person, no issues found
Code 2 – Verification completed remotely, no issues found
Code 3 – Verification attempted; issues found with identity.
Code 5 – No response from applicant or unable to locate
The institution is required to report results no more than 60 days following the first request to the student for documentation of identity. Inaccurate and untimely reporting may subject the institution to findings because of the annual compliance audit or a program review. If there is a change in a result the institution has already submitted, the institution can submit the new code using the above process and must make that change within
30 days of becoming aware that a change occurred. The most recent submission will supplant prior award year submissions. Because the Financial Aid Administrator (FAA) Access website does not store a list of these verification results for the institution to retrieve, ED recommends the institution to print and keep the confirmation page for its records.
Identified Condition:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Of the 60 students selected for verification test work, we noted 10 students with verification codes (tracking flags) V4 and V5 whose files were reviewed and verification results submitted to CPS beyond the required 60-day timeframe following the campuses’ initial request to the student for identity documentation. See schedule of identified condition.
Cause and Effect:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Due to many unexpected FAFSA Simplification rollout issues for FY 2024-25, the Financial Aid Technicians could not start reviewing 2023-24 files until late into the summer term, and V4/V5 verification data was not reported until after file review had begun.
Questioned Costs:
Not applicable.
Finding FA 2024-005: Level of Effort: Performance Outcomes Not Met
Federal Program Information:
Assistance Listing Number: ALN 17.268
Federal Program Name: H-1B Job Training Grant
Federal Agency: U.S. Department of Labor (DOL)
Passed Through Entity: N/A
Federal Award Number: HG-33046-19-60-A-6
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: West Los Angeles College
Compliance Requirement: Level of Effort
Criteria or Specific Requirement:
Per the DOL’s Employment and Training Awards (ETA) Handbook, page 24: ETA places a very high priority on maximizing successful grant performance and relies heavily on frequent performance reporting to measure and track your success toward achieving satisfactory outcomes. ETA grantees are required to submit quarterly progress reports which track performance throughout the entire lifetime of the grant. These include a performance report comprised of data related to a number of performance targets and measurements specifically designed to align with the grant’s Statement of Work (SOW) and individual performance objectives: 1) Total grant participants served; 2) Total participants beginning and completing education/training activities; 3) Total number of credentials attained by participants; and 4) Total number of participants who secured and/or
retained employment.
Per the SOW and Modified Contract, see schedule for the performance outcomes / key outcomes that were identified and
planned for the program.
Per FOA-ETA-18-08 Apprentice Training and Employment Performance Outcomes: Applicants must include comprehensive numerical outcome projections for each of the seven outcome measures. The targets must be provided for each year of the grant, as well as for the total grant period. While applicants are required to propose goals for the seven outcome categories identified in Section IV.B.3.a.(2) Expected Outcomes and
Outputs, which are specific to this Funding Opportunity Award (FOA), they will also be required to report outcomes in alignment with outcomes identified in Workforce Innovation and Opportunity Act (WIOA), as applicable. Per Section IV.B.3.a.(2) of the Funding Opportunity Award for the H-1B Job Training Grant (FOA-ETA-18-08), grantees must meet measurable performance targets in key areas, including apprenticeship enrollment, program completion rates, job placement, wage increases, and retention within high-demand fields. These performance goals must correspond to the scope of each project’s funding level to ensure program impact and sustainability.
Identified Condition:
The District was able to achieve success in meeting and exceeding four out of six key performance outcomes, demonstrating effective management in several critical areas, including Participants Enrolled, Begin Education/Training, Entered Employment, and Expenditures. However, two key performance outcomes-Completed Education/Training and Attained Credential-were not met, reflecting areas of underperformance as of the modified grant contract projections for the grant period ended June 30, 2024. See schedule for key outcome identified.
Cause and Effect:
The District implemented effective management strategies that resulted in success in four out of six key performance outcomes, including Participants Enrolled, Begin Education/Training, Entered Employment, and Expenditures. These outcomes benefited from efficient program delivery, resource allocation, and targeted interventions. However, the goals related to training completion and credential attainment were influenced by several factors outside the District’s control, such as the COVID 19 pandemic and participants’ personal circumstances, which may lead them to alter their commitment to the program. Despite not fully meeting the targets for training completion and credentialing, the program’s overall success
remained unaffected, as it exceeded its original Funding Opportunity Announcement required performance outcome by placing over 5,000 participants into the job market.
Questioned Costs:
None.
Finding FA 2024-001: Special Tests and Provisions: Enrollment Reporting: Inaccurate Enrollment
Effective Date Reported in the Campus-Level Record Data of the National Student Loan Data System
(NSLDS)
Federal Program Information:
Assistance Listing Number: ALN 84.063, 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Pell Grant Program, Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P063P210036, P268K220036
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles Valley College
Compliance Requirement: Special Tests and Provisions – Enrollment Reporting
Criteria or Specific Requirement:
Per the Compliance Supplement, Enrollment Reporting – Compliance Requirements: The administration of the
Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by
institutions. Institutions must review, update, and certify student enrollment statuses, program information, and
effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of
the NSLDS Professional Access (NSLDSFAP) website which the financial aid administrator can access for the
auditor. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what
NSLDS has as the most recently certified enrollment. There are two categories of enrollment information,
“Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record
types.
Institutions are responsible for accurately reporting all Campus-Level Record data elements. ED considers the following data elements to be high risk: OPEID Number, Enrollment Effective Date, Enrollment Status and
Certification Date.
Institutions are responsible for accurately reporting all Program-Level Record data elements. ED considers the
following data elements to be high risk: OPEID Number, CIP Code, Credential Level, Published Program
Length Measurement, Published Program Length, Program Begin Date, Program Enrollment Status, and
Program Enrollment Effective Date.
Identified Condition:
Of the 20 students selected for testwork at Los Angeles Valley College, we noted 1 student that had an
enrollment status change from half-time to three-quarter time that was inaccurately recorded in the
“Campus -Level Record” data section in the NSLDS. While the District correctly reported the program
enrollment effective date as 7/14/2024 in the “Program-Level Record” data section of the NSLDS, the
enrollment effective date was inaccurately reported as 7/23/2024 in the “Campus-Level Record” data section in
the NSLDS.
Cause and Effect:
The PeopleSoft enrollment reporting system, as delivered, did not provide a student status effective date (SSD)
in cases of a change in student level load and National Student Clearinghouse (NSC) documentation states
that provision of the SSD is not required. However, this condition contributed to a high volume of reporting
errors, requiring manual error correction by the District’s college staff. To address this issue, the District
developed a programming modification to automatically provide a date in the system for instances of a change
in the student academic load. The date provided in the system, based on the NSC submission calendar, was
the day prior to the file generation date (the day before the “As of Date” on the NSC submission calendar). This
modification can, in some circumstances, lead to misalignment of student status effective date reported to the
NSC and the effective date of the academic load change in the PeopleSoft student information system.
Questioned Costs:
Not applicable.
Finding FA 2024-001: Special Tests and Provisions: Enrollment Reporting: Inaccurate Enrollment
Effective Date Reported in the Campus-Level Record Data of the National Student Loan Data System
(NSLDS)
Federal Program Information:
Assistance Listing Number: ALN 84.063, 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Pell Grant Program, Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P063P210036, P268K220036
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles Valley College
Compliance Requirement: Special Tests and Provisions – Enrollment Reporting
Criteria or Specific Requirement:
Per the Compliance Supplement, Enrollment Reporting – Compliance Requirements: The administration of the
Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by
institutions. Institutions must review, update, and certify student enrollment statuses, program information, and
effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of
the NSLDS Professional Access (NSLDSFAP) website which the financial aid administrator can access for the
auditor. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what
NSLDS has as the most recently certified enrollment. There are two categories of enrollment information,
“Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record
types.
Institutions are responsible for accurately reporting all Campus-Level Record data elements. ED considers the following data elements to be high risk: OPEID Number, Enrollment Effective Date, Enrollment Status and
Certification Date.
Institutions are responsible for accurately reporting all Program-Level Record data elements. ED considers the
following data elements to be high risk: OPEID Number, CIP Code, Credential Level, Published Program
Length Measurement, Published Program Length, Program Begin Date, Program Enrollment Status, and
Program Enrollment Effective Date.
Identified Condition:
Of the 20 students selected for testwork at Los Angeles Valley College, we noted 1 student that had an
enrollment status change from half-time to three-quarter time that was inaccurately recorded in the
“Campus -Level Record” data section in the NSLDS. While the District correctly reported the program
enrollment effective date as 7/14/2024 in the “Program-Level Record” data section of the NSLDS, the
enrollment effective date was inaccurately reported as 7/23/2024 in the “Campus-Level Record” data section in
the NSLDS.
Cause and Effect:
The PeopleSoft enrollment reporting system, as delivered, did not provide a student status effective date (SSD)
in cases of a change in student level load and National Student Clearinghouse (NSC) documentation states
that provision of the SSD is not required. However, this condition contributed to a high volume of reporting
errors, requiring manual error correction by the District’s college staff. To address this issue, the District
developed a programming modification to automatically provide a date in the system for instances of a change
in the student academic load. The date provided in the system, based on the NSC submission calendar, was
the day prior to the file generation date (the day before the “As of Date” on the NSC submission calendar). This
modification can, in some circumstances, lead to misalignment of student status effective date reported to the
NSC and the effective date of the academic load change in the PeopleSoft student information system.
Questioned Costs:
Not applicable.
Finding FA 2024-002: Special Tests and Provisions: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds; and Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP) (Repeat Finding)
Federal Program Information:
Assistance Listing Number: ALN 84.063 and 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Pell Grant Program
Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P063P210033; P063P215263; P063P210034; P063P210658;
P063P210035; P063P215261; P063P215260; P063P210036;
P063P215262; P268K220033; P268K225263; P268K220034;
P268K220658; P268K220035; P268K225261; P268K225260;
P268K220036; P268K225262
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles City College (Repeat Finding)
East Los Angeles College (Repeat Finding)
Los Angeles Harbor College (Repeat Finding)
Los Angeles Mission College (Repeat Finding)
Los Angeles Pierce College (Repeat Finding)
Los Angeles Southwest College (Repeat Finding)
Los Angeles Trade Technical College (Repeat Finding)
Los Angeles Valley College (Repeat Finding)
West Los Angeles College (Repeat Finding)
Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds
Criteria or Specific Requirement:
Per 34 Code of Federal Regulations:
34 CFR 668.22(a) When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement.
34 CFR 668.22(b) Withdrawal date for a student who withdraws from an institution that is required to take attendance: “(1).the student’s withdrawal date is the last date of academic attendance as determined by theinstitution from its attendance records. (2) An institution must document a student’s withdrawal date and maintain the documentation as of the date of the institution’s determination that the student withdrew.”
34 CFR668.22 (c) Withdrawal date for a student who withdraws from an institution that is not required to take attendance.) “(1)..a student who ceases attendance at an institution that is not required to take attendance, the student’s withdrawal date is – (i) The date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (ii) The date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (iii) If the student ceases attendance without providing official notification to the institution of his or her withdrawal in accordance with paragraph (c)(1)(i) or (c)(1)(ii) of this section, the
mid-point of the payment period (or period of enrollment, if applicable); (iv) If the institution determines that a student did not begin the institution’s withdrawal process or otherwise provide official notification (including notice from an individual acting on the student’s behalf) to the institution of his or her intent to withdraw because of illness, accident, grievous personal loss, or other such circumstances beyond the student’s control, the date that the institution determines is related to that circumstance; (v) If a student does not return from an approved leave of absence as defined in paragraph (d) of this section, the date that the institution determines the student began the leave of absence; or (vi) If a student takes a leave of
absence that does not meet the requirements of paragraph (d) of this section, the date that the student began the leave of absence. (2) An institution that is not required to take attendance may use as the student’s withdrawal date a student’s last date of attendance at an academically related activity provided that the institution documents that the activity is academically related and documents the student’s attendance at the activity. (3) An institution must document a student’s withdrawal date and maintain the documentation as of the date of the institution’s determination that the student withdrew.
Per OMB Compliance Supplement:
Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or
initiating contact with a faculty member to ask a course-related question. Per the Department of Education’s Program Integrity Q&As for Return of Title IV Funds: An Institution that is required to take attendance: An institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory
activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or
2. Is used to administratively withdraw students or to enforce an institutional attendance policy.
Identified Condition:
A. Incorrect Calculation of Return of Title IV Funds
Los Angeles Harbor College
B. Distance Education (DE) Courses – Implementation of Formal Process to
Determine Accuracy of Student Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP)
Los Angeles City College
East Los Angeles College
Los Angeles Harbor College
Los Angeles Mission College
Los Angeles Pierce College
Los Angeles Southwest College
Los Angeles Trade Technical College
Los Angeles Valley College
West Los Angeles College
Description
A. Incorrect Calculation of Return of Title IV Funds
Los Angeles Harbor College
We noted 2 of 20 students selected for return to Title IV funds testwork from the population of students who had withdrawn, dropped out, or never began attendance for Fall 2023 that had an incorrect calculation of return of Title IV amounts. The students had a reduction in eligible Title IV grant aid for $1,335 and $2,304, respectively, but the District did not recalculate the student and campus return of Title IV amounts based on
the updated eligible Title IV grant aid amount. For these 2 students, such error resulted in:
• 1 student with an understatement of institutional return of $119 and an understatement of student
return of $104. The effect of the understatement did not result in questioned costs due to grant
protection.
• 1 student with an understatement of student return of $230 after the grant protection is applied.
B. Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP)
In assessing the District's CAP for prior year finding FA 2023-002, we noted that during Fall 2023, the District implemented a formal process to monitor a student's active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of a student's withdrawal date in the Student Information System (SIS). There are two types of withdrawals for DE courses: student-initiated withdrawals and instructor-initiated withdrawals. For student-initiated withdrawals, the withdrawal date used in the calculation of return of Title IV funds is the date the student initiates the withdrawal from the course in the system. For instructorinitiated withdrawals, the District implemented formal procedures beginning in Fall 2023 whereby the instructor is responsible for reviewing student rosters for DE courses at scheduled intervals (census roster date, exclusion roster date, and active enrollment roster date) throughout the term. At these scheduled interval dates, the instructor must initiate a withdrawal for a student who is deemed to no longer be academically engaged, as determined by the instructor. Additionally, the District's Internal Audit Department began conducting reviews of the instructor's data entry related to student withdrawal dates for DE courses into the SIS beginning in November 2023. During the current year, the Internal Audit Department conducted 10 independent reviews related to instructor-initiated withdrawals in order to assess the accuracy of the student withdrawal dates within the SIS after implementation of the new process. The results of such reviews identified numerous and various exceptions such as unmatched withdrawal dates between the Canvas Learning Management System (Canvas) and SIS, missing participation dates in Canvas for students re-added to course history, and instances where the last date of student participation could not be determined within the Canvas.
Cause and Effect:
A. Incorrect Calculation of Return of Title IV Funds
Los Angeles Harbor College
The Financial Aid Senior Accounting Technician who processed the Fall 2023 return to Title IV (R2T4) calculations had an oversight on clicking the save button to update the SIS R2T4 worksheet for these 2 students. The calculations and review of the R2T4 batch were accurate, but the worksheets E, F, and G award updates were not saved in the SIS, which caused the calculations to be slightly off.
B. Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student
Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP)
Despite the best efforts of the District office to implement the active enrollment roster as well as messaging to faculty with the requirement to complete the active enrollment roster and post the students last date of attendance, internal review demonstrated that additional actions must be taken to improve compliance. The SIS is used to maintain student records and for administering aid. Incorrect information in the SIS can lead
to an incorrect return of Title IV funds calculation. Without a process to determine accuracy of student withdrawal dates, there is a risk of incorrect return of Title IV calculations.
Questioned Costs:
A. Incorrect Calculation of Return of Title IV Funds - see schedule of findings and questioned costs.
B. Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student
Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP) - Not applicable.
Finding FA 2024-002: Special Tests and Provisions: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds; and Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP) (Repeat Finding)
Federal Program Information:
Assistance Listing Number: ALN 84.063 and 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Pell Grant Program
Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P063P210033; P063P215263; P063P210034; P063P210658;
P063P210035; P063P215261; P063P215260; P063P210036;
P063P215262; P268K220033; P268K225263; P268K220034;
P268K220658; P268K220035; P268K225261; P268K225260;
P268K220036; P268K225262
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles City College (Repeat Finding)
East Los Angeles College (Repeat Finding)
Los Angeles Harbor College (Repeat Finding)
Los Angeles Mission College (Repeat Finding)
Los Angeles Pierce College (Repeat Finding)
Los Angeles Southwest College (Repeat Finding)
Los Angeles Trade Technical College (Repeat Finding)
Los Angeles Valley College (Repeat Finding)
West Los Angeles College (Repeat Finding)
Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds
Criteria or Specific Requirement:
Per 34 Code of Federal Regulations:
34 CFR 668.22(a) When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement.
34 CFR 668.22(b) Withdrawal date for a student who withdraws from an institution that is required to take attendance: “(1).the student’s withdrawal date is the last date of academic attendance as determined by theinstitution from its attendance records. (2) An institution must document a student’s withdrawal date and maintain the documentation as of the date of the institution’s determination that the student withdrew.”
34 CFR668.22 (c) Withdrawal date for a student who withdraws from an institution that is not required to take attendance.) “(1)..a student who ceases attendance at an institution that is not required to take attendance, the student’s withdrawal date is – (i) The date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (ii) The date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (iii) If the student ceases attendance without providing official notification to the institution of his or her withdrawal in accordance with paragraph (c)(1)(i) or (c)(1)(ii) of this section, the
mid-point of the payment period (or period of enrollment, if applicable); (iv) If the institution determines that a student did not begin the institution’s withdrawal process or otherwise provide official notification (including notice from an individual acting on the student’s behalf) to the institution of his or her intent to withdraw because of illness, accident, grievous personal loss, or other such circumstances beyond the student’s control, the date that the institution determines is related to that circumstance; (v) If a student does not return from an approved leave of absence as defined in paragraph (d) of this section, the date that the institution determines the student began the leave of absence; or (vi) If a student takes a leave of
absence that does not meet the requirements of paragraph (d) of this section, the date that the student began the leave of absence. (2) An institution that is not required to take attendance may use as the student’s withdrawal date a student’s last date of attendance at an academically related activity provided that the institution documents that the activity is academically related and documents the student’s attendance at the activity. (3) An institution must document a student’s withdrawal date and maintain the documentation as of the date of the institution’s determination that the student withdrew.
Per OMB Compliance Supplement:
Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or
initiating contact with a faculty member to ask a course-related question. Per the Department of Education’s Program Integrity Q&As for Return of Title IV Funds: An Institution that is required to take attendance: An institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory
activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or
2. Is used to administratively withdraw students or to enforce an institutional attendance policy.
Identified Condition:
A. Incorrect Calculation of Return of Title IV Funds
Los Angeles Harbor College
B. Distance Education (DE) Courses – Implementation of Formal Process to
Determine Accuracy of Student Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP)
Los Angeles City College
East Los Angeles College
Los Angeles Harbor College
Los Angeles Mission College
Los Angeles Pierce College
Los Angeles Southwest College
Los Angeles Trade Technical College
Los Angeles Valley College
West Los Angeles College
Description
A. Incorrect Calculation of Return of Title IV Funds
Los Angeles Harbor College
We noted 2 of 20 students selected for return to Title IV funds testwork from the population of students who had withdrawn, dropped out, or never began attendance for Fall 2023 that had an incorrect calculation of return of Title IV amounts. The students had a reduction in eligible Title IV grant aid for $1,335 and $2,304, respectively, but the District did not recalculate the student and campus return of Title IV amounts based on
the updated eligible Title IV grant aid amount. For these 2 students, such error resulted in:
• 1 student with an understatement of institutional return of $119 and an understatement of student
return of $104. The effect of the understatement did not result in questioned costs due to grant
protection.
• 1 student with an understatement of student return of $230 after the grant protection is applied.
B. Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP)
In assessing the District's CAP for prior year finding FA 2023-002, we noted that during Fall 2023, the District implemented a formal process to monitor a student's active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of a student's withdrawal date in the Student Information System (SIS). There are two types of withdrawals for DE courses: student-initiated withdrawals and instructor-initiated withdrawals. For student-initiated withdrawals, the withdrawal date used in the calculation of return of Title IV funds is the date the student initiates the withdrawal from the course in the system. For instructorinitiated withdrawals, the District implemented formal procedures beginning in Fall 2023 whereby the instructor is responsible for reviewing student rosters for DE courses at scheduled intervals (census roster date, exclusion roster date, and active enrollment roster date) throughout the term. At these scheduled interval dates, the instructor must initiate a withdrawal for a student who is deemed to no longer be academically engaged, as determined by the instructor. Additionally, the District's Internal Audit Department began conducting reviews of the instructor's data entry related to student withdrawal dates for DE courses into the SIS beginning in November 2023. During the current year, the Internal Audit Department conducted 10 independent reviews related to instructor-initiated withdrawals in order to assess the accuracy of the student withdrawal dates within the SIS after implementation of the new process. The results of such reviews identified numerous and various exceptions such as unmatched withdrawal dates between the Canvas Learning Management System (Canvas) and SIS, missing participation dates in Canvas for students re-added to course history, and instances where the last date of student participation could not be determined within the Canvas.
Cause and Effect:
A. Incorrect Calculation of Return of Title IV Funds
Los Angeles Harbor College
The Financial Aid Senior Accounting Technician who processed the Fall 2023 return to Title IV (R2T4) calculations had an oversight on clicking the save button to update the SIS R2T4 worksheet for these 2 students. The calculations and review of the R2T4 batch were accurate, but the worksheets E, F, and G award updates were not saved in the SIS, which caused the calculations to be slightly off.
B. Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student
Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP)
Despite the best efforts of the District office to implement the active enrollment roster as well as messaging to faculty with the requirement to complete the active enrollment roster and post the students last date of attendance, internal review demonstrated that additional actions must be taken to improve compliance. The SIS is used to maintain student records and for administering aid. Incorrect information in the SIS can lead
to an incorrect return of Title IV funds calculation. Without a process to determine accuracy of student withdrawal dates, there is a risk of incorrect return of Title IV calculations.
Questioned Costs:
A. Incorrect Calculation of Return of Title IV Funds - see schedule of findings and questioned costs.
B. Distance Education (DE) Courses – Implementation of Formal Process to Determine Accuracy of Student
Withdrawal Date – Partial Implementation of Prior Year Corrective Action Plan (CAP) - Not applicable.
Finding FA 2024-003: Special Tests and Provisions – Gramm-Leach-Bliley Act (GLBA) - Student
Information Security: Perform Timely Access Revocation and Strengthen User Access Reviews;
Maintain and Review Logs of Users’ Activity for both SAP and PeopleSoft Student Information System
(PS SIS); and Implement Data-at-Rest Encryption for SAP and PS SIS
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.003, 84.063, 84.268, 93.364
Federal Program Name: Student Financial Assistance Cluster
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: Various
Federal Award Year: July 1, 2023, to June 30, 2024
Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student
Information Security
Criteria or Specific Requirement:
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program
that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “the elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program –
• Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)).
• Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in
the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)).
• Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16
CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows:
– Implement and periodically review access controls.
– Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
– Encrypt customer information on the institution’s system and when it’s in transit.
– Assess apps developed by the institution
– Implement multi-factor authentication for anyone accessing customer information on the institution’s system
– Dispose of customer information securely
– Anticipate and evaluate changes to the information system or network.
– Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
• Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards
it has implemented (16 CFR 314.4(d)).
• Provides for the implementation of policies and procedures to ensure that personnel are able to
enact the information security program (16 CFR 314.4(e)(1)).
• Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)).
• Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it
knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate
responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as the Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must:
• Retain responsibility for compliance with GLBA;
• Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and
• Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3).
Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, it is ED’s
expectation that the Qualified Individual would be able to provide the written information security program that
addresses the elements required for the written information security program to the auditors.
Identified Condition:
A. Perform Timely Access Revocation and Strengthen User Access Reviews (Repeat finding)
Based on test of controls to verify that access of terminated employees is timely removed in PS SIS, SAP and Active Directory (AD), we noted that out of the terminated employees subject for testing:
1. 17 users were still active in PS SIS, 10 of whom have logged in after their termination.
2. 27 users were still active in SAP, nine (9) of whom have logged in after their termination.
3. 45 users were active in AD, 20 of whom have logged in after their termination.
Moreover, while a privileged user access review is performed for PS SIS, SAP and AD, there is no review performed to check the validity of regular users for these systems. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS (Repeat finding)
A compliance requirement that requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District.
C. Implement Data-at-Rest Encryption for SAP and PS SIS Servers (Repeat finding)
Drive-level encryption is implemented and observed for a sample workstation that processes customer information. However, encryption mechanisms are not currently implemented for SAP and PS SIS servers. Compliance requirement 16 CFR 314.4(c)(3) requires institutions to protect by encryption all students’ data held at rest.
Cause and Effect:
A. Perform Timely Access Revocation and Strengthen User Access Reviews
Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the lack of user access reviews for regular users increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS
Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner.
C. Implement Data-at-Rest encryption for SAP and PS SIS Servers
Data that is held to servers without encryption is vulnerable to unauthorized access specially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed.
Finding FA 2024-003: Special Tests and Provisions – Gramm-Leach-Bliley Act (GLBA) - Student
Information Security: Perform Timely Access Revocation and Strengthen User Access Reviews;
Maintain and Review Logs of Users’ Activity for both SAP and PeopleSoft Student Information System
(PS SIS); and Implement Data-at-Rest Encryption for SAP and PS SIS
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.003, 84.063, 84.268, 93.364
Federal Program Name: Student Financial Assistance Cluster
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: Various
Federal Award Year: July 1, 2023, to June 30, 2024
Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student
Information Security
Criteria or Specific Requirement:
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program
that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “the elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program –
• Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)).
• Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in
the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)).
• Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16
CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows:
– Implement and periodically review access controls.
– Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
– Encrypt customer information on the institution’s system and when it’s in transit.
– Assess apps developed by the institution
– Implement multi-factor authentication for anyone accessing customer information on the institution’s system
– Dispose of customer information securely
– Anticipate and evaluate changes to the information system or network.
– Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
• Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards
it has implemented (16 CFR 314.4(d)).
• Provides for the implementation of policies and procedures to ensure that personnel are able to
enact the information security program (16 CFR 314.4(e)(1)).
• Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)).
• Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it
knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate
responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as the Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must:
• Retain responsibility for compliance with GLBA;
• Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and
• Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3).
Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, it is ED’s
expectation that the Qualified Individual would be able to provide the written information security program that
addresses the elements required for the written information security program to the auditors.
Identified Condition:
A. Perform Timely Access Revocation and Strengthen User Access Reviews (Repeat finding)
Based on test of controls to verify that access of terminated employees is timely removed in PS SIS, SAP and Active Directory (AD), we noted that out of the terminated employees subject for testing:
1. 17 users were still active in PS SIS, 10 of whom have logged in after their termination.
2. 27 users were still active in SAP, nine (9) of whom have logged in after their termination.
3. 45 users were active in AD, 20 of whom have logged in after their termination.
Moreover, while a privileged user access review is performed for PS SIS, SAP and AD, there is no review performed to check the validity of regular users for these systems. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS (Repeat finding)
A compliance requirement that requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District.
C. Implement Data-at-Rest Encryption for SAP and PS SIS Servers (Repeat finding)
Drive-level encryption is implemented and observed for a sample workstation that processes customer information. However, encryption mechanisms are not currently implemented for SAP and PS SIS servers. Compliance requirement 16 CFR 314.4(c)(3) requires institutions to protect by encryption all students’ data held at rest.
Cause and Effect:
A. Perform Timely Access Revocation and Strengthen User Access Reviews
Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the lack of user access reviews for regular users increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS
Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner.
C. Implement Data-at-Rest encryption for SAP and PS SIS Servers
Data that is held to servers without encryption is vulnerable to unauthorized access specially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed.
Finding FA 2024-003: Special Tests and Provisions – Gramm-Leach-Bliley Act (GLBA) - Student
Information Security: Perform Timely Access Revocation and Strengthen User Access Reviews;
Maintain and Review Logs of Users’ Activity for both SAP and PeopleSoft Student Information System
(PS SIS); and Implement Data-at-Rest Encryption for SAP and PS SIS
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.003, 84.063, 84.268, 93.364
Federal Program Name: Student Financial Assistance Cluster
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: Various
Federal Award Year: July 1, 2023, to June 30, 2024
Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student
Information Security
Criteria or Specific Requirement:
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program
that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “the elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program –
• Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)).
• Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in
the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)).
• Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16
CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows:
– Implement and periodically review access controls.
– Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
– Encrypt customer information on the institution’s system and when it’s in transit.
– Assess apps developed by the institution
– Implement multi-factor authentication for anyone accessing customer information on the institution’s system
– Dispose of customer information securely
– Anticipate and evaluate changes to the information system or network.
– Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
• Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards
it has implemented (16 CFR 314.4(d)).
• Provides for the implementation of policies and procedures to ensure that personnel are able to
enact the information security program (16 CFR 314.4(e)(1)).
• Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)).
• Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it
knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate
responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as the Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must:
• Retain responsibility for compliance with GLBA;
• Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and
• Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3).
Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, it is ED’s
expectation that the Qualified Individual would be able to provide the written information security program that
addresses the elements required for the written information security program to the auditors.
Identified Condition:
A. Perform Timely Access Revocation and Strengthen User Access Reviews (Repeat finding)
Based on test of controls to verify that access of terminated employees is timely removed in PS SIS, SAP and Active Directory (AD), we noted that out of the terminated employees subject for testing:
1. 17 users were still active in PS SIS, 10 of whom have logged in after their termination.
2. 27 users were still active in SAP, nine (9) of whom have logged in after their termination.
3. 45 users were active in AD, 20 of whom have logged in after their termination.
Moreover, while a privileged user access review is performed for PS SIS, SAP and AD, there is no review performed to check the validity of regular users for these systems. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS (Repeat finding)
A compliance requirement that requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District.
C. Implement Data-at-Rest Encryption for SAP and PS SIS Servers (Repeat finding)
Drive-level encryption is implemented and observed for a sample workstation that processes customer information. However, encryption mechanisms are not currently implemented for SAP and PS SIS servers. Compliance requirement 16 CFR 314.4(c)(3) requires institutions to protect by encryption all students’ data held at rest.
Cause and Effect:
A. Perform Timely Access Revocation and Strengthen User Access Reviews
Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the lack of user access reviews for regular users increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS
Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner.
C. Implement Data-at-Rest encryption for SAP and PS SIS Servers
Data that is held to servers without encryption is vulnerable to unauthorized access specially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed.
Finding FA 2024-003: Special Tests and Provisions – Gramm-Leach-Bliley Act (GLBA) - Student
Information Security: Perform Timely Access Revocation and Strengthen User Access Reviews;
Maintain and Review Logs of Users’ Activity for both SAP and PeopleSoft Student Information System
(PS SIS); and Implement Data-at-Rest Encryption for SAP and PS SIS
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.003, 84.063, 84.268, 93.364
Federal Program Name: Student Financial Assistance Cluster
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: Various
Federal Award Year: July 1, 2023, to June 30, 2024
Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student
Information Security
Criteria or Specific Requirement:
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program
that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “the elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program –
• Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)).
• Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in
the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)).
• Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16
CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows:
– Implement and periodically review access controls.
– Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
– Encrypt customer information on the institution’s system and when it’s in transit.
– Assess apps developed by the institution
– Implement multi-factor authentication for anyone accessing customer information on the institution’s system
– Dispose of customer information securely
– Anticipate and evaluate changes to the information system or network.
– Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
• Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards
it has implemented (16 CFR 314.4(d)).
• Provides for the implementation of policies and procedures to ensure that personnel are able to
enact the information security program (16 CFR 314.4(e)(1)).
• Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)).
• Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it
knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate
responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as the Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must:
• Retain responsibility for compliance with GLBA;
• Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and
• Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3).
Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, it is ED’s
expectation that the Qualified Individual would be able to provide the written information security program that
addresses the elements required for the written information security program to the auditors.
Identified Condition:
A. Perform Timely Access Revocation and Strengthen User Access Reviews (Repeat finding)
Based on test of controls to verify that access of terminated employees is timely removed in PS SIS, SAP and Active Directory (AD), we noted that out of the terminated employees subject for testing:
1. 17 users were still active in PS SIS, 10 of whom have logged in after their termination.
2. 27 users were still active in SAP, nine (9) of whom have logged in after their termination.
3. 45 users were active in AD, 20 of whom have logged in after their termination.
Moreover, while a privileged user access review is performed for PS SIS, SAP and AD, there is no review performed to check the validity of regular users for these systems. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS (Repeat finding)
A compliance requirement that requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District.
C. Implement Data-at-Rest Encryption for SAP and PS SIS Servers (Repeat finding)
Drive-level encryption is implemented and observed for a sample workstation that processes customer information. However, encryption mechanisms are not currently implemented for SAP and PS SIS servers. Compliance requirement 16 CFR 314.4(c)(3) requires institutions to protect by encryption all students’ data held at rest.
Cause and Effect:
A. Perform Timely Access Revocation and Strengthen User Access Reviews
Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the lack of user access reviews for regular users increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS
Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner.
C. Implement Data-at-Rest encryption for SAP and PS SIS Servers
Data that is held to servers without encryption is vulnerable to unauthorized access specially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed.
Finding FA 2024-004: Special Tests and Provisions – Verification: Late Reporting of Verification Results
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Supplement Educational Opportunity Grants (FSEOG),
Federal Work Study Program, Federal Pell Grant Program,
Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P007A210457, P033A210457, P063P210036, P268K220036
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles Harbor College
Los Angeles Trade Technical College
Los Angeles Valley College
Compliance Requirement: Special Tests and Provisions – Verification
Criteria or Specific Requirement:
Per Application and Verification Guide of 2023-2024 Federal Student Aid Handbook, Chapter 4, Title Verification, Updates, and Corrections, the institution must report the verification results of identity for any student for whom the institution (1) receives an ISIR with tracking flag V4 or V5-as selected by the Central Processing System (CPS), and (2) request verification documentation. The institution reports this information
on the FAA Access to CPS Online website. For the 2023–2024 award year, the institution will then enter one of the following numeric codes that most applies:
Code 1 – Verification completed in person, no issues found
Code 2 – Verification completed remotely, no issues found
Code 3 – Verification attempted; issues found with identity.
Code 5 – No response from applicant or unable to locate
The institution is required to report results no more than 60 days following the first request to the student for documentation of identity. Inaccurate and untimely reporting may subject the institution to findings because of the annual compliance audit or a program review. If there is a change in a result the institution has already submitted, the institution can submit the new code using the above process and must make that change within
30 days of becoming aware that a change occurred. The most recent submission will supplant prior award year submissions. Because the Financial Aid Administrator (FAA) Access website does not store a list of these verification results for the institution to retrieve, ED recommends the institution to print and keep the confirmation page for its records.
Identified Condition:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Of the 60 students selected for verification test work, we noted 10 students with verification codes (tracking flags) V4 and V5 whose files were reviewed and verification results submitted to CPS beyond the required 60-day timeframe following the campuses’ initial request to the student for identity documentation. See schedule of identified condition.
Cause and Effect:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Due to many unexpected FAFSA Simplification rollout issues for FY 2024-25, the Financial Aid Technicians could not start reviewing 2023-24 files until late into the summer term, and V4/V5 verification data was not reported until after file review had begun.
Questioned Costs:
Not applicable.
Finding FA 2024-004: Special Tests and Provisions – Verification: Late Reporting of Verification Results
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Supplement Educational Opportunity Grants (FSEOG),
Federal Work Study Program, Federal Pell Grant Program,
Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P007A210457, P033A210457, P063P210036, P268K220036
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles Harbor College
Los Angeles Trade Technical College
Los Angeles Valley College
Compliance Requirement: Special Tests and Provisions – Verification
Criteria or Specific Requirement:
Per Application and Verification Guide of 2023-2024 Federal Student Aid Handbook, Chapter 4, Title Verification, Updates, and Corrections, the institution must report the verification results of identity for any student for whom the institution (1) receives an ISIR with tracking flag V4 or V5-as selected by the Central Processing System (CPS), and (2) request verification documentation. The institution reports this information
on the FAA Access to CPS Online website. For the 2023–2024 award year, the institution will then enter one of the following numeric codes that most applies:
Code 1 – Verification completed in person, no issues found
Code 2 – Verification completed remotely, no issues found
Code 3 – Verification attempted; issues found with identity.
Code 5 – No response from applicant or unable to locate
The institution is required to report results no more than 60 days following the first request to the student for documentation of identity. Inaccurate and untimely reporting may subject the institution to findings because of the annual compliance audit or a program review. If there is a change in a result the institution has already submitted, the institution can submit the new code using the above process and must make that change within
30 days of becoming aware that a change occurred. The most recent submission will supplant prior award year submissions. Because the Financial Aid Administrator (FAA) Access website does not store a list of these verification results for the institution to retrieve, ED recommends the institution to print and keep the confirmation page for its records.
Identified Condition:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Of the 60 students selected for verification test work, we noted 10 students with verification codes (tracking flags) V4 and V5 whose files were reviewed and verification results submitted to CPS beyond the required 60-day timeframe following the campuses’ initial request to the student for identity documentation. See schedule of identified condition.
Cause and Effect:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Due to many unexpected FAFSA Simplification rollout issues for FY 2024-25, the Financial Aid Technicians could not start reviewing 2023-24 files until late into the summer term, and V4/V5 verification data was not reported until after file review had begun.
Questioned Costs:
Not applicable.
Finding FA 2024-004: Special Tests and Provisions – Verification: Late Reporting of Verification Results
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Supplement Educational Opportunity Grants (FSEOG),
Federal Work Study Program, Federal Pell Grant Program,
Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P007A210457, P033A210457, P063P210036, P268K220036
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles Harbor College
Los Angeles Trade Technical College
Los Angeles Valley College
Compliance Requirement: Special Tests and Provisions – Verification
Criteria or Specific Requirement:
Per Application and Verification Guide of 2023-2024 Federal Student Aid Handbook, Chapter 4, Title Verification, Updates, and Corrections, the institution must report the verification results of identity for any student for whom the institution (1) receives an ISIR with tracking flag V4 or V5-as selected by the Central Processing System (CPS), and (2) request verification documentation. The institution reports this information
on the FAA Access to CPS Online website. For the 2023–2024 award year, the institution will then enter one of the following numeric codes that most applies:
Code 1 – Verification completed in person, no issues found
Code 2 – Verification completed remotely, no issues found
Code 3 – Verification attempted; issues found with identity.
Code 5 – No response from applicant or unable to locate
The institution is required to report results no more than 60 days following the first request to the student for documentation of identity. Inaccurate and untimely reporting may subject the institution to findings because of the annual compliance audit or a program review. If there is a change in a result the institution has already submitted, the institution can submit the new code using the above process and must make that change within
30 days of becoming aware that a change occurred. The most recent submission will supplant prior award year submissions. Because the Financial Aid Administrator (FAA) Access website does not store a list of these verification results for the institution to retrieve, ED recommends the institution to print and keep the confirmation page for its records.
Identified Condition:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Of the 60 students selected for verification test work, we noted 10 students with verification codes (tracking flags) V4 and V5 whose files were reviewed and verification results submitted to CPS beyond the required 60-day timeframe following the campuses’ initial request to the student for identity documentation. See schedule of identified condition.
Cause and Effect:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Due to many unexpected FAFSA Simplification rollout issues for FY 2024-25, the Financial Aid Technicians could not start reviewing 2023-24 files until late into the summer term, and V4/V5 verification data was not reported until after file review had begun.
Questioned Costs:
Not applicable.
Finding FA 2024-004: Special Tests and Provisions – Verification: Late Reporting of Verification Results
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.268
Federal Program Name: Student Financial Assistance Cluster;
Federal Supplement Educational Opportunity Grants (FSEOG),
Federal Work Study Program, Federal Pell Grant Program,
Federal Direct Student Loans
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: P007A210457, P033A210457, P063P210036, P268K220036
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: Los Angeles Harbor College
Los Angeles Trade Technical College
Los Angeles Valley College
Compliance Requirement: Special Tests and Provisions – Verification
Criteria or Specific Requirement:
Per Application and Verification Guide of 2023-2024 Federal Student Aid Handbook, Chapter 4, Title Verification, Updates, and Corrections, the institution must report the verification results of identity for any student for whom the institution (1) receives an ISIR with tracking flag V4 or V5-as selected by the Central Processing System (CPS), and (2) request verification documentation. The institution reports this information
on the FAA Access to CPS Online website. For the 2023–2024 award year, the institution will then enter one of the following numeric codes that most applies:
Code 1 – Verification completed in person, no issues found
Code 2 – Verification completed remotely, no issues found
Code 3 – Verification attempted; issues found with identity.
Code 5 – No response from applicant or unable to locate
The institution is required to report results no more than 60 days following the first request to the student for documentation of identity. Inaccurate and untimely reporting may subject the institution to findings because of the annual compliance audit or a program review. If there is a change in a result the institution has already submitted, the institution can submit the new code using the above process and must make that change within
30 days of becoming aware that a change occurred. The most recent submission will supplant prior award year submissions. Because the Financial Aid Administrator (FAA) Access website does not store a list of these verification results for the institution to retrieve, ED recommends the institution to print and keep the confirmation page for its records.
Identified Condition:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Of the 60 students selected for verification test work, we noted 10 students with verification codes (tracking flags) V4 and V5 whose files were reviewed and verification results submitted to CPS beyond the required 60-day timeframe following the campuses’ initial request to the student for identity documentation. See schedule of identified condition.
Cause and Effect:
Los Angeles Harbor College, Los Angeles Trade Technical College, and Los Angeles Valley College
Due to many unexpected FAFSA Simplification rollout issues for FY 2024-25, the Financial Aid Technicians could not start reviewing 2023-24 files until late into the summer term, and V4/V5 verification data was not reported until after file review had begun.
Questioned Costs:
Not applicable.
Finding FA 2024-005: Level of Effort: Performance Outcomes Not Met
Federal Program Information:
Assistance Listing Number: ALN 17.268
Federal Program Name: H-1B Job Training Grant
Federal Agency: U.S. Department of Labor (DOL)
Passed Through Entity: N/A
Federal Award Number: HG-33046-19-60-A-6
Federal Award Year: July 1, 2023, to June 30, 2024
Campuses: West Los Angeles College
Compliance Requirement: Level of Effort
Criteria or Specific Requirement:
Per the DOL’s Employment and Training Awards (ETA) Handbook, page 24: ETA places a very high priority on maximizing successful grant performance and relies heavily on frequent performance reporting to measure and track your success toward achieving satisfactory outcomes. ETA grantees are required to submit quarterly progress reports which track performance throughout the entire lifetime of the grant. These include a performance report comprised of data related to a number of performance targets and measurements specifically designed to align with the grant’s Statement of Work (SOW) and individual performance objectives: 1) Total grant participants served; 2) Total participants beginning and completing education/training activities; 3) Total number of credentials attained by participants; and 4) Total number of participants who secured and/or
retained employment.
Per the SOW and Modified Contract, see schedule for the performance outcomes / key outcomes that were identified and
planned for the program.
Per FOA-ETA-18-08 Apprentice Training and Employment Performance Outcomes: Applicants must include comprehensive numerical outcome projections for each of the seven outcome measures. The targets must be provided for each year of the grant, as well as for the total grant period. While applicants are required to propose goals for the seven outcome categories identified in Section IV.B.3.a.(2) Expected Outcomes and
Outputs, which are specific to this Funding Opportunity Award (FOA), they will also be required to report outcomes in alignment with outcomes identified in Workforce Innovation and Opportunity Act (WIOA), as applicable. Per Section IV.B.3.a.(2) of the Funding Opportunity Award for the H-1B Job Training Grant (FOA-ETA-18-08), grantees must meet measurable performance targets in key areas, including apprenticeship enrollment, program completion rates, job placement, wage increases, and retention within high-demand fields. These performance goals must correspond to the scope of each project’s funding level to ensure program impact and sustainability.
Identified Condition:
The District was able to achieve success in meeting and exceeding four out of six key performance outcomes, demonstrating effective management in several critical areas, including Participants Enrolled, Begin Education/Training, Entered Employment, and Expenditures. However, two key performance outcomes-Completed Education/Training and Attained Credential-were not met, reflecting areas of underperformance as of the modified grant contract projections for the grant period ended June 30, 2024. See schedule for key outcome identified.
Cause and Effect:
The District implemented effective management strategies that resulted in success in four out of six key performance outcomes, including Participants Enrolled, Begin Education/Training, Entered Employment, and Expenditures. These outcomes benefited from efficient program delivery, resource allocation, and targeted interventions. However, the goals related to training completion and credential attainment were influenced by several factors outside the District’s control, such as the COVID 19 pandemic and participants’ personal circumstances, which may lead them to alter their commitment to the program. Despite not fully meeting the targets for training completion and credentialing, the program’s overall success
remained unaffected, as it exceeded its original Funding Opportunity Announcement required performance outcome by placing over 5,000 participants into the job market.
Questioned Costs:
None.