Finding 2024-008 - Material Weakness: Special Tests and Provisions - Compliance and Control Finding
Student Financial Aid Cluster
Federal Agency: U.S. Department of Education
Federal Award Number: 84.007, 84.033, 84.063, 84.379 and 84.268
Pass-Through Entity: None
Criteria Or Specific Requirement: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021, and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the Written Information Security Program (WISP) required to be established by the University. The requirements for the WISP noted at 16 CFR 314.4 require that the University designate a Qualified Individual responsible for overseeing and implementing the University’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• In addition, the University is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the WISP. The University is also responsible for documenting in the WISP how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the University’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the University’s information security program.
Condition: The current state of the University’s Information Security Program is not in compliance with the regulatory obligation.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The failure to meet the requirements of the FTC Safeguards Rule could make the University vulnerable to cyber security and student data protection risks.
Questioned Costs: Not applicable.
Context: We inquired with the University personnel regarding GLBA regulations and noted the following:
• There is currently no written information security program in place.
• The University has not conducted risk assessments specifically addressing risks related to student data.
• Third-party cloud providers, which implement security practices, are utilized to protect student data. These providers encrypt student data when stored on cloud platforms; however, the University does not currently use encryption for local servers or endpoints. Furthermore, there are no established policies regarding encryption.
• There are no documented policies governing physical or logical access controls.
• Account management practices are informal, with no formal processes or policies in place.
• Multi-factor authentication is not required for access to student data, except for email, and no compensating controls have been implemented.
• A written data retention policy has not been established.
• There is no formal change management process or policy currently in place.
• There are no formal policies or requirements for security training for University personnel.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that the University implement a more robust WISP, conduct a broader risk assessment, and begin documenting the current informally implemented practices in order to ensure appropriate compliance.
Views Of Responsible Officials: Harris-Stowe State University acknowledges the audit finding regarding noncompliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. In response, the University has collaborated with Omega Technical Solutions and iLeap Group to execute a comprehensive cybersecurity compliance and modernization initiative. As of the audit period close, over 90% of related deficiencies have been remediated.
Specific corrective actions taken or underway include:
1. Written Information Security Program (WISP): A formal WISP has been developed and implemented. It outlines oversight structures, risk management strategies, testing protocols, and required safeguards in alignment with 16 CFR 314.4.
2. Risk Assessment: A comprehensive risk scorecard was created. All Active Directory accounts were reviewed and flagged for deactivation or role reassignment as appropriate.
3. Access and Encryption Controls: Encryption is now deployed across all active endpoints. Logical access control and encryption policies have been adopted and published. Multi-factor authentication (MFA) is enforced for all systems handling student data.
4. Account Management and Role-Based Access: RBAC policies have been established and account provisioning is now formally documented and managed.
5. Retention, Change Management, and Training: A written data retention policy and formal change management procedures are now in place. An onboarding cybersecurity training program has been developed, with full implementation scheduled by August 31, 2025.
6. Legacy Server Risk Mitigation: One legacy Microsoft 2008 server has failed and is decommissioned. The remaining server is isolated, monitored with NIST- and Microsoft Sentinel-aligned tools, and pending full replacement as part of the upcoming infrastructure upgrade.
7. Ongoing Monitoring and Vendor Oversight: TCPM-aligned monitoring practices and vendor oversight protocols are now active and included in the WISP framework.
The University’s IT Security SharePoint site houses all related documentation and is structured to support transparency, audit readiness, and continued compliance oversight.
Finding 2024-008 - Material Weakness: Special Tests and Provisions - Compliance and Control Finding
Student Financial Aid Cluster
Federal Agency: U.S. Department of Education
Federal Award Number: 84.007, 84.033, 84.063, 84.379 and 84.268
Pass-Through Entity: None
Criteria Or Specific Requirement: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021, and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the Written Information Security Program (WISP) required to be established by the University. The requirements for the WISP noted at 16 CFR 314.4 require that the University designate a Qualified Individual responsible for overseeing and implementing the University’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• In addition, the University is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the WISP. The University is also responsible for documenting in the WISP how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the University’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the University’s information security program.
Condition: The current state of the University’s Information Security Program is not in compliance with the regulatory obligation.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The failure to meet the requirements of the FTC Safeguards Rule could make the University vulnerable to cyber security and student data protection risks.
Questioned Costs: Not applicable.
Context: We inquired with the University personnel regarding GLBA regulations and noted the following:
• There is currently no written information security program in place.
• The University has not conducted risk assessments specifically addressing risks related to student data.
• Third-party cloud providers, which implement security practices, are utilized to protect student data. These providers encrypt student data when stored on cloud platforms; however, the University does not currently use encryption for local servers or endpoints. Furthermore, there are no established policies regarding encryption.
• There are no documented policies governing physical or logical access controls.
• Account management practices are informal, with no formal processes or policies in place.
• Multi-factor authentication is not required for access to student data, except for email, and no compensating controls have been implemented.
• A written data retention policy has not been established.
• There is no formal change management process or policy currently in place.
• There are no formal policies or requirements for security training for University personnel.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that the University implement a more robust WISP, conduct a broader risk assessment, and begin documenting the current informally implemented practices in order to ensure appropriate compliance.
Views Of Responsible Officials: Harris-Stowe State University acknowledges the audit finding regarding noncompliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. In response, the University has collaborated with Omega Technical Solutions and iLeap Group to execute a comprehensive cybersecurity compliance and modernization initiative. As of the audit period close, over 90% of related deficiencies have been remediated.
Specific corrective actions taken or underway include:
1. Written Information Security Program (WISP): A formal WISP has been developed and implemented. It outlines oversight structures, risk management strategies, testing protocols, and required safeguards in alignment with 16 CFR 314.4.
2. Risk Assessment: A comprehensive risk scorecard was created. All Active Directory accounts were reviewed and flagged for deactivation or role reassignment as appropriate.
3. Access and Encryption Controls: Encryption is now deployed across all active endpoints. Logical access control and encryption policies have been adopted and published. Multi-factor authentication (MFA) is enforced for all systems handling student data.
4. Account Management and Role-Based Access: RBAC policies have been established and account provisioning is now formally documented and managed.
5. Retention, Change Management, and Training: A written data retention policy and formal change management procedures are now in place. An onboarding cybersecurity training program has been developed, with full implementation scheduled by August 31, 2025.
6. Legacy Server Risk Mitigation: One legacy Microsoft 2008 server has failed and is decommissioned. The remaining server is isolated, monitored with NIST- and Microsoft Sentinel-aligned tools, and pending full replacement as part of the upcoming infrastructure upgrade.
7. Ongoing Monitoring and Vendor Oversight: TCPM-aligned monitoring practices and vendor oversight protocols are now active and included in the WISP framework.
The University’s IT Security SharePoint site houses all related documentation and is structured to support transparency, audit readiness, and continued compliance oversight.
Finding 2024-008 - Material Weakness: Special Tests and Provisions - Compliance and Control Finding
Student Financial Aid Cluster
Federal Agency: U.S. Department of Education
Federal Award Number: 84.007, 84.033, 84.063, 84.379 and 84.268
Pass-Through Entity: None
Criteria Or Specific Requirement: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021, and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the Written Information Security Program (WISP) required to be established by the University. The requirements for the WISP noted at 16 CFR 314.4 require that the University designate a Qualified Individual responsible for overseeing and implementing the University’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• In addition, the University is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the WISP. The University is also responsible for documenting in the WISP how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the University’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the University’s information security program.
Condition: The current state of the University’s Information Security Program is not in compliance with the regulatory obligation.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The failure to meet the requirements of the FTC Safeguards Rule could make the University vulnerable to cyber security and student data protection risks.
Questioned Costs: Not applicable.
Context: We inquired with the University personnel regarding GLBA regulations and noted the following:
• There is currently no written information security program in place.
• The University has not conducted risk assessments specifically addressing risks related to student data.
• Third-party cloud providers, which implement security practices, are utilized to protect student data. These providers encrypt student data when stored on cloud platforms; however, the University does not currently use encryption for local servers or endpoints. Furthermore, there are no established policies regarding encryption.
• There are no documented policies governing physical or logical access controls.
• Account management practices are informal, with no formal processes or policies in place.
• Multi-factor authentication is not required for access to student data, except for email, and no compensating controls have been implemented.
• A written data retention policy has not been established.
• There is no formal change management process or policy currently in place.
• There are no formal policies or requirements for security training for University personnel.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that the University implement a more robust WISP, conduct a broader risk assessment, and begin documenting the current informally implemented practices in order to ensure appropriate compliance.
Views Of Responsible Officials: Harris-Stowe State University acknowledges the audit finding regarding noncompliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. In response, the University has collaborated with Omega Technical Solutions and iLeap Group to execute a comprehensive cybersecurity compliance and modernization initiative. As of the audit period close, over 90% of related deficiencies have been remediated.
Specific corrective actions taken or underway include:
1. Written Information Security Program (WISP): A formal WISP has been developed and implemented. It outlines oversight structures, risk management strategies, testing protocols, and required safeguards in alignment with 16 CFR 314.4.
2. Risk Assessment: A comprehensive risk scorecard was created. All Active Directory accounts were reviewed and flagged for deactivation or role reassignment as appropriate.
3. Access and Encryption Controls: Encryption is now deployed across all active endpoints. Logical access control and encryption policies have been adopted and published. Multi-factor authentication (MFA) is enforced for all systems handling student data.
4. Account Management and Role-Based Access: RBAC policies have been established and account provisioning is now formally documented and managed.
5. Retention, Change Management, and Training: A written data retention policy and formal change management procedures are now in place. An onboarding cybersecurity training program has been developed, with full implementation scheduled by August 31, 2025.
6. Legacy Server Risk Mitigation: One legacy Microsoft 2008 server has failed and is decommissioned. The remaining server is isolated, monitored with NIST- and Microsoft Sentinel-aligned tools, and pending full replacement as part of the upcoming infrastructure upgrade.
7. Ongoing Monitoring and Vendor Oversight: TCPM-aligned monitoring practices and vendor oversight protocols are now active and included in the WISP framework.
The University’s IT Security SharePoint site houses all related documentation and is structured to support transparency, audit readiness, and continued compliance oversight.
Finding 2024-008 - Material Weakness: Special Tests and Provisions - Compliance and Control Finding
Student Financial Aid Cluster
Federal Agency: U.S. Department of Education
Federal Award Number: 84.007, 84.033, 84.063, 84.379 and 84.268
Pass-Through Entity: None
Criteria Or Specific Requirement: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021, and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the Written Information Security Program (WISP) required to be established by the University. The requirements for the WISP noted at 16 CFR 314.4 require that the University designate a Qualified Individual responsible for overseeing and implementing the University’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• In addition, the University is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the WISP. The University is also responsible for documenting in the WISP how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the University’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the University’s information security program.
Condition: The current state of the University’s Information Security Program is not in compliance with the regulatory obligation.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The failure to meet the requirements of the FTC Safeguards Rule could make the University vulnerable to cyber security and student data protection risks.
Questioned Costs: Not applicable.
Context: We inquired with the University personnel regarding GLBA regulations and noted the following:
• There is currently no written information security program in place.
• The University has not conducted risk assessments specifically addressing risks related to student data.
• Third-party cloud providers, which implement security practices, are utilized to protect student data. These providers encrypt student data when stored on cloud platforms; however, the University does not currently use encryption for local servers or endpoints. Furthermore, there are no established policies regarding encryption.
• There are no documented policies governing physical or logical access controls.
• Account management practices are informal, with no formal processes or policies in place.
• Multi-factor authentication is not required for access to student data, except for email, and no compensating controls have been implemented.
• A written data retention policy has not been established.
• There is no formal change management process or policy currently in place.
• There are no formal policies or requirements for security training for University personnel.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that the University implement a more robust WISP, conduct a broader risk assessment, and begin documenting the current informally implemented practices in order to ensure appropriate compliance.
Views Of Responsible Officials: Harris-Stowe State University acknowledges the audit finding regarding noncompliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. In response, the University has collaborated with Omega Technical Solutions and iLeap Group to execute a comprehensive cybersecurity compliance and modernization initiative. As of the audit period close, over 90% of related deficiencies have been remediated.
Specific corrective actions taken or underway include:
1. Written Information Security Program (WISP): A formal WISP has been developed and implemented. It outlines oversight structures, risk management strategies, testing protocols, and required safeguards in alignment with 16 CFR 314.4.
2. Risk Assessment: A comprehensive risk scorecard was created. All Active Directory accounts were reviewed and flagged for deactivation or role reassignment as appropriate.
3. Access and Encryption Controls: Encryption is now deployed across all active endpoints. Logical access control and encryption policies have been adopted and published. Multi-factor authentication (MFA) is enforced for all systems handling student data.
4. Account Management and Role-Based Access: RBAC policies have been established and account provisioning is now formally documented and managed.
5. Retention, Change Management, and Training: A written data retention policy and formal change management procedures are now in place. An onboarding cybersecurity training program has been developed, with full implementation scheduled by August 31, 2025.
6. Legacy Server Risk Mitigation: One legacy Microsoft 2008 server has failed and is decommissioned. The remaining server is isolated, monitored with NIST- and Microsoft Sentinel-aligned tools, and pending full replacement as part of the upcoming infrastructure upgrade.
7. Ongoing Monitoring and Vendor Oversight: TCPM-aligned monitoring practices and vendor oversight protocols are now active and included in the WISP framework.
The University’s IT Security SharePoint site houses all related documentation and is structured to support transparency, audit readiness, and continued compliance oversight.
Finding 2024-008 - Material Weakness: Special Tests and Provisions - Compliance and Control Finding
Student Financial Aid Cluster
Federal Agency: U.S. Department of Education
Federal Award Number: 84.007, 84.033, 84.063, 84.379 and 84.268
Pass-Through Entity: None
Criteria Or Specific Requirement: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021, and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the Written Information Security Program (WISP) required to be established by the University. The requirements for the WISP noted at 16 CFR 314.4 require that the University designate a Qualified Individual responsible for overseeing and implementing the University’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• In addition, the University is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the WISP. The University is also responsible for documenting in the WISP how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the University’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the University’s information security program.
Condition: The current state of the University’s Information Security Program is not in compliance with the regulatory obligation.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The failure to meet the requirements of the FTC Safeguards Rule could make the University vulnerable to cyber security and student data protection risks.
Questioned Costs: Not applicable.
Context: We inquired with the University personnel regarding GLBA regulations and noted the following:
• There is currently no written information security program in place.
• The University has not conducted risk assessments specifically addressing risks related to student data.
• Third-party cloud providers, which implement security practices, are utilized to protect student data. These providers encrypt student data when stored on cloud platforms; however, the University does not currently use encryption for local servers or endpoints. Furthermore, there are no established policies regarding encryption.
• There are no documented policies governing physical or logical access controls.
• Account management practices are informal, with no formal processes or policies in place.
• Multi-factor authentication is not required for access to student data, except for email, and no compensating controls have been implemented.
• A written data retention policy has not been established.
• There is no formal change management process or policy currently in place.
• There are no formal policies or requirements for security training for University personnel.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that the University implement a more robust WISP, conduct a broader risk assessment, and begin documenting the current informally implemented practices in order to ensure appropriate compliance.
Views Of Responsible Officials: Harris-Stowe State University acknowledges the audit finding regarding noncompliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. In response, the University has collaborated with Omega Technical Solutions and iLeap Group to execute a comprehensive cybersecurity compliance and modernization initiative. As of the audit period close, over 90% of related deficiencies have been remediated.
Specific corrective actions taken or underway include:
1. Written Information Security Program (WISP): A formal WISP has been developed and implemented. It outlines oversight structures, risk management strategies, testing protocols, and required safeguards in alignment with 16 CFR 314.4.
2. Risk Assessment: A comprehensive risk scorecard was created. All Active Directory accounts were reviewed and flagged for deactivation or role reassignment as appropriate.
3. Access and Encryption Controls: Encryption is now deployed across all active endpoints. Logical access control and encryption policies have been adopted and published. Multi-factor authentication (MFA) is enforced for all systems handling student data.
4. Account Management and Role-Based Access: RBAC policies have been established and account provisioning is now formally documented and managed.
5. Retention, Change Management, and Training: A written data retention policy and formal change management procedures are now in place. An onboarding cybersecurity training program has been developed, with full implementation scheduled by August 31, 2025.
6. Legacy Server Risk Mitigation: One legacy Microsoft 2008 server has failed and is decommissioned. The remaining server is isolated, monitored with NIST- and Microsoft Sentinel-aligned tools, and pending full replacement as part of the upcoming infrastructure upgrade.
7. Ongoing Monitoring and Vendor Oversight: TCPM-aligned monitoring practices and vendor oversight protocols are now active and included in the WISP framework.
The University’s IT Security SharePoint site houses all related documentation and is structured to support transparency, audit readiness, and continued compliance oversight.
Finding 2024-008 - Material Weakness: Special Tests and Provisions - Compliance and Control Finding
Student Financial Aid Cluster
Federal Agency: U.S. Department of Education
Federal Award Number: 84.007, 84.033, 84.063, 84.379 and 84.268
Pass-Through Entity: None
Criteria Or Specific Requirement: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021, and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the Written Information Security Program (WISP) required to be established by the University. The requirements for the WISP noted at 16 CFR 314.4 require that the University designate a Qualified Individual responsible for overseeing and implementing the University’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• In addition, the University is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the WISP. The University is also responsible for documenting in the WISP how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the University’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the University’s information security program.
Condition: The current state of the University’s Information Security Program is not in compliance with the regulatory obligation.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The failure to meet the requirements of the FTC Safeguards Rule could make the University vulnerable to cyber security and student data protection risks.
Questioned Costs: Not applicable.
Context: We inquired with the University personnel regarding GLBA regulations and noted the following:
• There is currently no written information security program in place.
• The University has not conducted risk assessments specifically addressing risks related to student data.
• Third-party cloud providers, which implement security practices, are utilized to protect student data. These providers encrypt student data when stored on cloud platforms; however, the University does not currently use encryption for local servers or endpoints. Furthermore, there are no established policies regarding encryption.
• There are no documented policies governing physical or logical access controls.
• Account management practices are informal, with no formal processes or policies in place.
• Multi-factor authentication is not required for access to student data, except for email, and no compensating controls have been implemented.
• A written data retention policy has not been established.
• There is no formal change management process or policy currently in place.
• There are no formal policies or requirements for security training for University personnel.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that the University implement a more robust WISP, conduct a broader risk assessment, and begin documenting the current informally implemented practices in order to ensure appropriate compliance.
Views Of Responsible Officials: Harris-Stowe State University acknowledges the audit finding regarding noncompliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. In response, the University has collaborated with Omega Technical Solutions and iLeap Group to execute a comprehensive cybersecurity compliance and modernization initiative. As of the audit period close, over 90% of related deficiencies have been remediated.
Specific corrective actions taken or underway include:
1. Written Information Security Program (WISP): A formal WISP has been developed and implemented. It outlines oversight structures, risk management strategies, testing protocols, and required safeguards in alignment with 16 CFR 314.4.
2. Risk Assessment: A comprehensive risk scorecard was created. All Active Directory accounts were reviewed and flagged for deactivation or role reassignment as appropriate.
3. Access and Encryption Controls: Encryption is now deployed across all active endpoints. Logical access control and encryption policies have been adopted and published. Multi-factor authentication (MFA) is enforced for all systems handling student data.
4. Account Management and Role-Based Access: RBAC policies have been established and account provisioning is now formally documented and managed.
5. Retention, Change Management, and Training: A written data retention policy and formal change management procedures are now in place. An onboarding cybersecurity training program has been developed, with full implementation scheduled by August 31, 2025.
6. Legacy Server Risk Mitigation: One legacy Microsoft 2008 server has failed and is decommissioned. The remaining server is isolated, monitored with NIST- and Microsoft Sentinel-aligned tools, and pending full replacement as part of the upcoming infrastructure upgrade.
7. Ongoing Monitoring and Vendor Oversight: TCPM-aligned monitoring practices and vendor oversight protocols are now active and included in the WISP framework.
The University’s IT Security SharePoint site houses all related documentation and is structured to support transparency, audit readiness, and continued compliance oversight.
Finding 2024-008 - Material Weakness: Special Tests and Provisions - Compliance and Control Finding
Student Financial Aid Cluster
Federal Agency: U.S. Department of Education
Federal Award Number: 84.007, 84.033, 84.063, 84.379 and 84.268
Pass-Through Entity: None
Criteria Or Specific Requirement: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021, and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the Written Information Security Program (WISP) required to be established by the University. The requirements for the WISP noted at 16 CFR 314.4 require that the University designate a Qualified Individual responsible for overseeing and implementing the University’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• In addition, the University is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the WISP. The University is also responsible for documenting in the WISP how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the University’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the University’s information security program.
Condition: The current state of the University’s Information Security Program is not in compliance with the regulatory obligation.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The failure to meet the requirements of the FTC Safeguards Rule could make the University vulnerable to cyber security and student data protection risks.
Questioned Costs: Not applicable.
Context: We inquired with the University personnel regarding GLBA regulations and noted the following:
• There is currently no written information security program in place.
• The University has not conducted risk assessments specifically addressing risks related to student data.
• Third-party cloud providers, which implement security practices, are utilized to protect student data. These providers encrypt student data when stored on cloud platforms; however, the University does not currently use encryption for local servers or endpoints. Furthermore, there are no established policies regarding encryption.
• There are no documented policies governing physical or logical access controls.
• Account management practices are informal, with no formal processes or policies in place.
• Multi-factor authentication is not required for access to student data, except for email, and no compensating controls have been implemented.
• A written data retention policy has not been established.
• There is no formal change management process or policy currently in place.
• There are no formal policies or requirements for security training for University personnel.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that the University implement a more robust WISP, conduct a broader risk assessment, and begin documenting the current informally implemented practices in order to ensure appropriate compliance.
Views Of Responsible Officials: Harris-Stowe State University acknowledges the audit finding regarding noncompliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. In response, the University has collaborated with Omega Technical Solutions and iLeap Group to execute a comprehensive cybersecurity compliance and modernization initiative. As of the audit period close, over 90% of related deficiencies have been remediated.
Specific corrective actions taken or underway include:
1. Written Information Security Program (WISP): A formal WISP has been developed and implemented. It outlines oversight structures, risk management strategies, testing protocols, and required safeguards in alignment with 16 CFR 314.4.
2. Risk Assessment: A comprehensive risk scorecard was created. All Active Directory accounts were reviewed and flagged for deactivation or role reassignment as appropriate.
3. Access and Encryption Controls: Encryption is now deployed across all active endpoints. Logical access control and encryption policies have been adopted and published. Multi-factor authentication (MFA) is enforced for all systems handling student data.
4. Account Management and Role-Based Access: RBAC policies have been established and account provisioning is now formally documented and managed.
5. Retention, Change Management, and Training: A written data retention policy and formal change management procedures are now in place. An onboarding cybersecurity training program has been developed, with full implementation scheduled by August 31, 2025.
6. Legacy Server Risk Mitigation: One legacy Microsoft 2008 server has failed and is decommissioned. The remaining server is isolated, monitored with NIST- and Microsoft Sentinel-aligned tools, and pending full replacement as part of the upcoming infrastructure upgrade.
7. Ongoing Monitoring and Vendor Oversight: TCPM-aligned monitoring practices and vendor oversight protocols are now active and included in the WISP framework.
The University’s IT Security SharePoint site houses all related documentation and is structured to support transparency, audit readiness, and continued compliance oversight.
Finding 2024-006 – Significant Deficiency: Allowable Costs and Activities – Control Finding
ALN 84.042 – Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound – TRIO Cluster
Federal Agency: U.S. Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued)
For The Year Ended June 30, 2024
ALN 84.031 - Title III - Higher Education – Institutional Aid
Federal Agency: U.S. Department of Education
Federal Award Numbers: P031B170058 and P031E200062
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: We noted through procedures performed that payroll costs were not charged to the grant in accordance with the time and effort certification.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: TRIO Cluster - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 64% should have been allocated. In addition, three individual costs in the sample lacked appropriate review and approval for the charges applied to the grant. This indicates that the control over compliance was not operating effectively.
Title III - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 89% should have been allocated. This indicates that the control over compliance was not operating effectively.
Identification As A Repeat Finding: Not applicable
Recommendation: We recommend that management review the internal controls over allowable costs and activities to ensure the control is designed to ensure the correct amount of salaries are charged to the grant based on the approved time and effort certifications.
Views Of Responsible Officials: Payroll charges to federal programs must match certified time and effort documentation. The Director of Sponsored Programs, the Director of Title III, and the Grant Accountant will jointly review allocations before payrolls are processed. Monthly reports will be generated for review by the Grant Accountant, and discrepancies must be corrected within 30 days.
Management will implement a formal review and approval process to ensure that all allowable costs are verified for compliance with applicable regulations and approved by designated personnel prior to reimbursement or payment.
Finding 2024-006 – Significant Deficiency: Allowable Costs and Activities – Control Finding
ALN 84.042 – Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound – TRIO Cluster
Federal Agency: U.S. Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued)
For The Year Ended June 30, 2024
ALN 84.031 - Title III - Higher Education – Institutional Aid
Federal Agency: U.S. Department of Education
Federal Award Numbers: P031B170058 and P031E200062
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: We noted through procedures performed that payroll costs were not charged to the grant in accordance with the time and effort certification.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: TRIO Cluster - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 64% should have been allocated. In addition, three individual costs in the sample lacked appropriate review and approval for the charges applied to the grant. This indicates that the control over compliance was not operating effectively.
Title III - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 89% should have been allocated. This indicates that the control over compliance was not operating effectively.
Identification As A Repeat Finding: Not applicable
Recommendation: We recommend that management review the internal controls over allowable costs and activities to ensure the control is designed to ensure the correct amount of salaries are charged to the grant based on the approved time and effort certifications.
Views Of Responsible Officials: Payroll charges to federal programs must match certified time and effort documentation. The Director of Sponsored Programs, the Director of Title III, and the Grant Accountant will jointly review allocations before payrolls are processed. Monthly reports will be generated for review by the Grant Accountant, and discrepancies must be corrected within 30 days.
Management will implement a formal review and approval process to ensure that all allowable costs are verified for compliance with applicable regulations and approved by designated personnel prior to reimbursement or payment.
Finding 2024-006 – Significant Deficiency: Allowable Costs and Activities – Control Finding
ALN 84.042 – Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound – TRIO Cluster
Federal Agency: U.S. Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued)
For The Year Ended June 30, 2024
ALN 84.031 - Title III - Higher Education – Institutional Aid
Federal Agency: U.S. Department of Education
Federal Award Numbers: P031B170058 and P031E200062
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: We noted through procedures performed that payroll costs were not charged to the grant in accordance with the time and effort certification.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: TRIO Cluster - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 64% should have been allocated. In addition, three individual costs in the sample lacked appropriate review and approval for the charges applied to the grant. This indicates that the control over compliance was not operating effectively.
Title III - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 89% should have been allocated. This indicates that the control over compliance was not operating effectively.
Identification As A Repeat Finding: Not applicable
Recommendation: We recommend that management review the internal controls over allowable costs and activities to ensure the control is designed to ensure the correct amount of salaries are charged to the grant based on the approved time and effort certifications.
Views Of Responsible Officials: Payroll charges to federal programs must match certified time and effort documentation. The Director of Sponsored Programs, the Director of Title III, and the Grant Accountant will jointly review allocations before payrolls are processed. Monthly reports will be generated for review by the Grant Accountant, and discrepancies must be corrected within 30 days.
Management will implement a formal review and approval process to ensure that all allowable costs are verified for compliance with applicable regulations and approved by designated personnel prior to reimbursement or payment.
Finding 2024-006 – Significant Deficiency: Allowable Costs and Activities – Control Finding
ALN 84.042 – Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound – TRIO Cluster
Federal Agency: U.S. Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued)
For The Year Ended June 30, 2024
ALN 84.031 - Title III - Higher Education – Institutional Aid
Federal Agency: U.S. Department of Education
Federal Award Numbers: P031B170058 and P031E200062
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: We noted through procedures performed that payroll costs were not charged to the grant in accordance with the time and effort certification.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: TRIO Cluster - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 64% should have been allocated. In addition, three individual costs in the sample lacked appropriate review and approval for the charges applied to the grant. This indicates that the control over compliance was not operating effectively.
Title III - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 89% should have been allocated. This indicates that the control over compliance was not operating effectively.
Identification As A Repeat Finding: Not applicable
Recommendation: We recommend that management review the internal controls over allowable costs and activities to ensure the control is designed to ensure the correct amount of salaries are charged to the grant based on the approved time and effort certifications.
Views Of Responsible Officials: Payroll charges to federal programs must match certified time and effort documentation. The Director of Sponsored Programs, the Director of Title III, and the Grant Accountant will jointly review allocations before payrolls are processed. Monthly reports will be generated for review by the Grant Accountant, and discrepancies must be corrected within 30 days.
Management will implement a formal review and approval process to ensure that all allowable costs are verified for compliance with applicable regulations and approved by designated personnel prior to reimbursement or payment.
Finding 2024-006 – Significant Deficiency: Allowable Costs and Activities – Control Finding
ALN 84.042 – Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound – TRIO Cluster
Federal Agency: U.S. Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued)
For The Year Ended June 30, 2024
ALN 84.031 - Title III - Higher Education – Institutional Aid
Federal Agency: U.S. Department of Education
Federal Award Numbers: P031B170058 and P031E200062
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: We noted through procedures performed that payroll costs were not charged to the grant in accordance with the time and effort certification.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: TRIO Cluster - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 64% should have been allocated. In addition, three individual costs in the sample lacked appropriate review and approval for the charges applied to the grant. This indicates that the control over compliance was not operating effectively.
Title III - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 89% should have been allocated. This indicates that the control over compliance was not operating effectively.
Identification As A Repeat Finding: Not applicable
Recommendation: We recommend that management review the internal controls over allowable costs and activities to ensure the control is designed to ensure the correct amount of salaries are charged to the grant based on the approved time and effort certifications.
Views Of Responsible Officials: Payroll charges to federal programs must match certified time and effort documentation. The Director of Sponsored Programs, the Director of Title III, and the Grant Accountant will jointly review allocations before payrolls are processed. Monthly reports will be generated for review by the Grant Accountant, and discrepancies must be corrected within 30 days.
Management will implement a formal review and approval process to ensure that all allowable costs are verified for compliance with applicable regulations and approved by designated personnel prior to reimbursement or payment.
Finding 2024-005 - Material Weakness: Cash Management - Control Finding
ALN 84.042 - Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound - TRIO Cluster
Federal Agency: Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: Based on the testing completed over the cash management compliance requirement, the University did not retain documentation of a second review of the cash drawdown to verify that the correct amount of funds are requested.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: During testing performed for cash management, for the 5 cash drawdowns reviewed, the draw down was completed without a second review. Statistical sampling was not used to test this compliance requirement
Identification As A Repeat Finding: 2022-004
Recommendation: We recommend that management put a control in place for a second review of the cash drawdown requests. The second review should be properly documented with the reviewer’s signature and the date the review was performed. The second review should be performed by someone other than the preparer and who has knowledge of the grant’s requirements
Views Of Responsible Officials: The University will enforce a review system for all federal drawdown requests. The Grant Accountant, Principal Investigator, and Comptroller will sign and date the drawdown documentation prior to submission. Review checklists will be used to validate expenditures against the general ledger support. Drawdowns are scheduled to be completed by the 15th of each month.
Finding 2024-005 - Material Weakness: Cash Management - Control Finding
ALN 84.042 - Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound - TRIO Cluster
Federal Agency: Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: Based on the testing completed over the cash management compliance requirement, the University did not retain documentation of a second review of the cash drawdown to verify that the correct amount of funds are requested.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: During testing performed for cash management, for the 5 cash drawdowns reviewed, the draw down was completed without a second review. Statistical sampling was not used to test this compliance requirement
Identification As A Repeat Finding: 2022-004
Recommendation: We recommend that management put a control in place for a second review of the cash drawdown requests. The second review should be properly documented with the reviewer’s signature and the date the review was performed. The second review should be performed by someone other than the preparer and who has knowledge of the grant’s requirements
Views Of Responsible Officials: The University will enforce a review system for all federal drawdown requests. The Grant Accountant, Principal Investigator, and Comptroller will sign and date the drawdown documentation prior to submission. Review checklists will be used to validate expenditures against the general ledger support. Drawdowns are scheduled to be completed by the 15th of each month.
Finding 2024-005 - Material Weakness: Cash Management - Control Finding
ALN 84.042 - Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound - TRIO Cluster
Federal Agency: Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: Based on the testing completed over the cash management compliance requirement, the University did not retain documentation of a second review of the cash drawdown to verify that the correct amount of funds are requested.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: During testing performed for cash management, for the 5 cash drawdowns reviewed, the draw down was completed without a second review. Statistical sampling was not used to test this compliance requirement
Identification As A Repeat Finding: 2022-004
Recommendation: We recommend that management put a control in place for a second review of the cash drawdown requests. The second review should be properly documented with the reviewer’s signature and the date the review was performed. The second review should be performed by someone other than the preparer and who has knowledge of the grant’s requirements
Views Of Responsible Officials: The University will enforce a review system for all federal drawdown requests. The Grant Accountant, Principal Investigator, and Comptroller will sign and date the drawdown documentation prior to submission. Review checklists will be used to validate expenditures against the general ledger support. Drawdowns are scheduled to be completed by the 15th of each month.
Finding 2024-007 - Material Weakness: Allowable Costs and Activities – Compliance and Control Finding
ALN 84.116 – Fund for the Improvement of Postsecondary Education
Federal Agency: U.S. Department of Education
Federal Award Numbers: P116Z230322 and P116Z220015
Pass-Through Entity: None
Criteria Or Specific Requirement: 2 CFR section 200.403 requires adequate documentation for allowable activities and costs and 2 CFR section 200.403(e) requires charges to the grant to be in accordance with generally accepted accounting principles (GAAP). Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: We noted through procedures performed that costs were not supported by adequate documentation and costs were not charged to the grant in accordance with GAAP. Internal controls designed for this federal program did not detect these errors.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: $34,890 of known questioned costs were identified in our testing sample Likely questioned costs exceed $25,000.
Context: In a sample of 40 individual costs charged to the grant, the following occurred:
• A charge of $3,000 was recorded against the grant but was supported by documentation totaling only $621.
• A charge of $32,511 was recorded as an expense to the grant, although the amount related to prepaid costs for future services or benefits that had not yet been incurred.
• In addition, 31 individual costs in the sample lacked appropriate review and approval for the charges applied to the grant.
Identification As A Repeat Finding: Not applicable
Recommendation: We recommend that management review the internal controls over allowable costs and activities to ensure the control is designed to ensure the correct amount of salaries are charged to the grant based on the approved time and effort certifications.
Views Of Responsible Officials: All expenses must be supported by documentation and comply with Generally Accepted Accounting Principles (GAAP) standards. A pre-review checklist will be required for all charges against FIPSE grants. Prepaid items must be recorded in the prepaid ledger and amortized appropriately. Documentation will be retained in alignment with the University Record Retention policy.
Management will implement a formal review and approval process to ensure that all allowable costs are verified for compliance with applicable regulations and approved by designated personnel prior to reimbursement or payment.
Finding 2024-007 - Material Weakness: Allowable Costs and Activities – Compliance and Control Finding
ALN 84.116 – Fund for the Improvement of Postsecondary Education
Federal Agency: U.S. Department of Education
Federal Award Numbers: P116Z230322 and P116Z220015
Pass-Through Entity: None
Criteria Or Specific Requirement: 2 CFR section 200.403 requires adequate documentation for allowable activities and costs and 2 CFR section 200.403(e) requires charges to the grant to be in accordance with generally accepted accounting principles (GAAP). Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: We noted through procedures performed that costs were not supported by adequate documentation and costs were not charged to the grant in accordance with GAAP. Internal controls designed for this federal program did not detect these errors.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: $34,890 of known questioned costs were identified in our testing sample Likely questioned costs exceed $25,000.
Context: In a sample of 40 individual costs charged to the grant, the following occurred:
• A charge of $3,000 was recorded against the grant but was supported by documentation totaling only $621.
• A charge of $32,511 was recorded as an expense to the grant, although the amount related to prepaid costs for future services or benefits that had not yet been incurred.
• In addition, 31 individual costs in the sample lacked appropriate review and approval for the charges applied to the grant.
Identification As A Repeat Finding: Not applicable
Recommendation: We recommend that management review the internal controls over allowable costs and activities to ensure the control is designed to ensure the correct amount of salaries are charged to the grant based on the approved time and effort certifications.
Views Of Responsible Officials: All expenses must be supported by documentation and comply with Generally Accepted Accounting Principles (GAAP) standards. A pre-review checklist will be required for all charges against FIPSE grants. Prepaid items must be recorded in the prepaid ledger and amortized appropriately. Documentation will be retained in alignment with the University Record Retention policy.
Management will implement a formal review and approval process to ensure that all allowable costs are verified for compliance with applicable regulations and approved by designated personnel prior to reimbursement or payment.
Finding 2024-004 - Material Weakness: Schedule of Expenditures of Federal Awards – Control Finding
ALN 21.027 – COVID-19 – Coronavirus State And Local Fiscal Recovery Funds
Federal Agency: U.S. Department of Treasury
Federal Award Number: PA4HS
Pass-Through Entity: Missouri Department of Higher Education and Workforce Development
ALN 84.116 – Fund For The Improvement Of Postsecondary Education
Federal Agency: U.S. Department of Education
Federal Award Numbers: P116Z230322 and P116Z220015
Pass-Through Entity: None
ALN 11.307 – Economic Adjustment Assistance
Federal Agency: U.S. Department of Commerce
Federal Award Number: N/A
Pass-Through Entity: Bio-STL
Criteria Or Specific Requirement: 2 CFR Section 200.510 states that the auditee must prepare the schedule of expenditures of federal awards (SEFA or “Schedule”) and the Schedule must provide total awards expended for each individual ALN.
Condition: During the audit, the following corrections were made to the SEFA:
• Federal expenditures totaling $4,892,149 were classified under the wrong program ALN. The reclassification of these expenditures resulted in a change to the major program determination.
• Federal expenditures totaling $181,184 were not included on the SEFA.
• Federal expenditures were adjusted by $1,933,710 to accrue reimbursable expenditures related to fiscal year 2024.
The Schedule provided did not identify amounts passed through to subrecipients.
Cause: Management does not have an internal control process in place to ensure an accurate schedule.
Effect: The possibility exists that errors within the Schedule could become material to the financial statements or result in an incorrect major program determination.
Questioned Costs: Not applicable.
Context: A sufficient review of the Schedule did not occur so errors were not detected.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that management assign the review of the SEFA to an individual that is knowledgeable about federal grants. In addition, grant agreements should be retained in a central repository to aid in the review of the SEFA. Lastly, the CFO should perform a year-over-year comparison of the SEFA by ALN and make inquiries of agencies regarding significant variances.
Views Of Responsible Officials: The Grant Accountant, in collaboration with the Comptroller and Director of Sponsored Programs, will compile SEFA data on a quarterly basis and reconcile it against CX reports. The Sponsored Programs Director will verify all Assistance Listing Numbers (ALNs), subrecipient amounts, and accruals. Documentation of all federal awards and drawdowns will be maintained in a centralized repository for internal and audit access.
Finding 2024-004 - Material Weakness: Schedule of Expenditures of Federal Awards – Control Finding
ALN 21.027 – COVID-19 – Coronavirus State And Local Fiscal Recovery Funds
Federal Agency: U.S. Department of Treasury
Federal Award Number: PA4HS
Pass-Through Entity: Missouri Department of Higher Education and Workforce Development
ALN 84.116 – Fund For The Improvement Of Postsecondary Education
Federal Agency: U.S. Department of Education
Federal Award Numbers: P116Z230322 and P116Z220015
Pass-Through Entity: None
ALN 11.307 – Economic Adjustment Assistance
Federal Agency: U.S. Department of Commerce
Federal Award Number: N/A
Pass-Through Entity: Bio-STL
Criteria Or Specific Requirement: 2 CFR Section 200.510 states that the auditee must prepare the schedule of expenditures of federal awards (SEFA or “Schedule”) and the Schedule must provide total awards expended for each individual ALN.
Condition: During the audit, the following corrections were made to the SEFA:
• Federal expenditures totaling $4,892,149 were classified under the wrong program ALN. The reclassification of these expenditures resulted in a change to the major program determination.
• Federal expenditures totaling $181,184 were not included on the SEFA.
• Federal expenditures were adjusted by $1,933,710 to accrue reimbursable expenditures related to fiscal year 2024.
The Schedule provided did not identify amounts passed through to subrecipients.
Cause: Management does not have an internal control process in place to ensure an accurate schedule.
Effect: The possibility exists that errors within the Schedule could become material to the financial statements or result in an incorrect major program determination.
Questioned Costs: Not applicable.
Context: A sufficient review of the Schedule did not occur so errors were not detected.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that management assign the review of the SEFA to an individual that is knowledgeable about federal grants. In addition, grant agreements should be retained in a central repository to aid in the review of the SEFA. Lastly, the CFO should perform a year-over-year comparison of the SEFA by ALN and make inquiries of agencies regarding significant variances.
Views Of Responsible Officials: The Grant Accountant, in collaboration with the Comptroller and Director of Sponsored Programs, will compile SEFA data on a quarterly basis and reconcile it against CX reports. The Sponsored Programs Director will verify all Assistance Listing Numbers (ALNs), subrecipient amounts, and accruals. Documentation of all federal awards and drawdowns will be maintained in a centralized repository for internal and audit access.
Finding 2024-004 - Material Weakness: Schedule of Expenditures of Federal Awards – Control Finding
ALN 21.027 – COVID-19 – Coronavirus State And Local Fiscal Recovery Funds
Federal Agency: U.S. Department of Treasury
Federal Award Number: PA4HS
Pass-Through Entity: Missouri Department of Higher Education and Workforce Development
ALN 84.116 – Fund For The Improvement Of Postsecondary Education
Federal Agency: U.S. Department of Education
Federal Award Numbers: P116Z230322 and P116Z220015
Pass-Through Entity: None
ALN 11.307 – Economic Adjustment Assistance
Federal Agency: U.S. Department of Commerce
Federal Award Number: N/A
Pass-Through Entity: Bio-STL
Criteria Or Specific Requirement: 2 CFR Section 200.510 states that the auditee must prepare the schedule of expenditures of federal awards (SEFA or “Schedule”) and the Schedule must provide total awards expended for each individual ALN.
Condition: During the audit, the following corrections were made to the SEFA:
• Federal expenditures totaling $4,892,149 were classified under the wrong program ALN. The reclassification of these expenditures resulted in a change to the major program determination.
• Federal expenditures totaling $181,184 were not included on the SEFA.
• Federal expenditures were adjusted by $1,933,710 to accrue reimbursable expenditures related to fiscal year 2024.
The Schedule provided did not identify amounts passed through to subrecipients.
Cause: Management does not have an internal control process in place to ensure an accurate schedule.
Effect: The possibility exists that errors within the Schedule could become material to the financial statements or result in an incorrect major program determination.
Questioned Costs: Not applicable.
Context: A sufficient review of the Schedule did not occur so errors were not detected.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that management assign the review of the SEFA to an individual that is knowledgeable about federal grants. In addition, grant agreements should be retained in a central repository to aid in the review of the SEFA. Lastly, the CFO should perform a year-over-year comparison of the SEFA by ALN and make inquiries of agencies regarding significant variances.
Views Of Responsible Officials: The Grant Accountant, in collaboration with the Comptroller and Director of Sponsored Programs, will compile SEFA data on a quarterly basis and reconcile it against CX reports. The Sponsored Programs Director will verify all Assistance Listing Numbers (ALNs), subrecipient amounts, and accruals. Documentation of all federal awards and drawdowns will be maintained in a centralized repository for internal and audit access.
Finding 2024-004 - Material Weakness: Schedule of Expenditures of Federal Awards – Control Finding
ALN 21.027 – COVID-19 – Coronavirus State And Local Fiscal Recovery Funds
Federal Agency: U.S. Department of Treasury
Federal Award Number: PA4HS
Pass-Through Entity: Missouri Department of Higher Education and Workforce Development
ALN 84.116 – Fund For The Improvement Of Postsecondary Education
Federal Agency: U.S. Department of Education
Federal Award Numbers: P116Z230322 and P116Z220015
Pass-Through Entity: None
ALN 11.307 – Economic Adjustment Assistance
Federal Agency: U.S. Department of Commerce
Federal Award Number: N/A
Pass-Through Entity: Bio-STL
Criteria Or Specific Requirement: 2 CFR Section 200.510 states that the auditee must prepare the schedule of expenditures of federal awards (SEFA or “Schedule”) and the Schedule must provide total awards expended for each individual ALN.
Condition: During the audit, the following corrections were made to the SEFA:
• Federal expenditures totaling $4,892,149 were classified under the wrong program ALN. The reclassification of these expenditures resulted in a change to the major program determination.
• Federal expenditures totaling $181,184 were not included on the SEFA.
• Federal expenditures were adjusted by $1,933,710 to accrue reimbursable expenditures related to fiscal year 2024.
The Schedule provided did not identify amounts passed through to subrecipients.
Cause: Management does not have an internal control process in place to ensure an accurate schedule.
Effect: The possibility exists that errors within the Schedule could become material to the financial statements or result in an incorrect major program determination.
Questioned Costs: Not applicable.
Context: A sufficient review of the Schedule did not occur so errors were not detected.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that management assign the review of the SEFA to an individual that is knowledgeable about federal grants. In addition, grant agreements should be retained in a central repository to aid in the review of the SEFA. Lastly, the CFO should perform a year-over-year comparison of the SEFA by ALN and make inquiries of agencies regarding significant variances.
Views Of Responsible Officials: The Grant Accountant, in collaboration with the Comptroller and Director of Sponsored Programs, will compile SEFA data on a quarterly basis and reconcile it against CX reports. The Sponsored Programs Director will verify all Assistance Listing Numbers (ALNs), subrecipient amounts, and accruals. Documentation of all federal awards and drawdowns will be maintained in a centralized repository for internal and audit access.
Finding 2024-008 - Material Weakness: Special Tests and Provisions - Compliance and Control Finding
Student Financial Aid Cluster
Federal Agency: U.S. Department of Education
Federal Award Number: 84.007, 84.033, 84.063, 84.379 and 84.268
Pass-Through Entity: None
Criteria Or Specific Requirement: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021, and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the Written Information Security Program (WISP) required to be established by the University. The requirements for the WISP noted at 16 CFR 314.4 require that the University designate a Qualified Individual responsible for overseeing and implementing the University’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• In addition, the University is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the WISP. The University is also responsible for documenting in the WISP how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the University’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the University’s information security program.
Condition: The current state of the University’s Information Security Program is not in compliance with the regulatory obligation.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The failure to meet the requirements of the FTC Safeguards Rule could make the University vulnerable to cyber security and student data protection risks.
Questioned Costs: Not applicable.
Context: We inquired with the University personnel regarding GLBA regulations and noted the following:
• There is currently no written information security program in place.
• The University has not conducted risk assessments specifically addressing risks related to student data.
• Third-party cloud providers, which implement security practices, are utilized to protect student data. These providers encrypt student data when stored on cloud platforms; however, the University does not currently use encryption for local servers or endpoints. Furthermore, there are no established policies regarding encryption.
• There are no documented policies governing physical or logical access controls.
• Account management practices are informal, with no formal processes or policies in place.
• Multi-factor authentication is not required for access to student data, except for email, and no compensating controls have been implemented.
• A written data retention policy has not been established.
• There is no formal change management process or policy currently in place.
• There are no formal policies or requirements for security training for University personnel.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that the University implement a more robust WISP, conduct a broader risk assessment, and begin documenting the current informally implemented practices in order to ensure appropriate compliance.
Views Of Responsible Officials: Harris-Stowe State University acknowledges the audit finding regarding noncompliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. In response, the University has collaborated with Omega Technical Solutions and iLeap Group to execute a comprehensive cybersecurity compliance and modernization initiative. As of the audit period close, over 90% of related deficiencies have been remediated.
Specific corrective actions taken or underway include:
1. Written Information Security Program (WISP): A formal WISP has been developed and implemented. It outlines oversight structures, risk management strategies, testing protocols, and required safeguards in alignment with 16 CFR 314.4.
2. Risk Assessment: A comprehensive risk scorecard was created. All Active Directory accounts were reviewed and flagged for deactivation or role reassignment as appropriate.
3. Access and Encryption Controls: Encryption is now deployed across all active endpoints. Logical access control and encryption policies have been adopted and published. Multi-factor authentication (MFA) is enforced for all systems handling student data.
4. Account Management and Role-Based Access: RBAC policies have been established and account provisioning is now formally documented and managed.
5. Retention, Change Management, and Training: A written data retention policy and formal change management procedures are now in place. An onboarding cybersecurity training program has been developed, with full implementation scheduled by August 31, 2025.
6. Legacy Server Risk Mitigation: One legacy Microsoft 2008 server has failed and is decommissioned. The remaining server is isolated, monitored with NIST- and Microsoft Sentinel-aligned tools, and pending full replacement as part of the upcoming infrastructure upgrade.
7. Ongoing Monitoring and Vendor Oversight: TCPM-aligned monitoring practices and vendor oversight protocols are now active and included in the WISP framework.
The University’s IT Security SharePoint site houses all related documentation and is structured to support transparency, audit readiness, and continued compliance oversight.
Finding 2024-008 - Material Weakness: Special Tests and Provisions - Compliance and Control Finding
Student Financial Aid Cluster
Federal Agency: U.S. Department of Education
Federal Award Number: 84.007, 84.033, 84.063, 84.379 and 84.268
Pass-Through Entity: None
Criteria Or Specific Requirement: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021, and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the Written Information Security Program (WISP) required to be established by the University. The requirements for the WISP noted at 16 CFR 314.4 require that the University designate a Qualified Individual responsible for overseeing and implementing the University’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• In addition, the University is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the WISP. The University is also responsible for documenting in the WISP how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the University’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the University’s information security program.
Condition: The current state of the University’s Information Security Program is not in compliance with the regulatory obligation.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The failure to meet the requirements of the FTC Safeguards Rule could make the University vulnerable to cyber security and student data protection risks.
Questioned Costs: Not applicable.
Context: We inquired with the University personnel regarding GLBA regulations and noted the following:
• There is currently no written information security program in place.
• The University has not conducted risk assessments specifically addressing risks related to student data.
• Third-party cloud providers, which implement security practices, are utilized to protect student data. These providers encrypt student data when stored on cloud platforms; however, the University does not currently use encryption for local servers or endpoints. Furthermore, there are no established policies regarding encryption.
• There are no documented policies governing physical or logical access controls.
• Account management practices are informal, with no formal processes or policies in place.
• Multi-factor authentication is not required for access to student data, except for email, and no compensating controls have been implemented.
• A written data retention policy has not been established.
• There is no formal change management process or policy currently in place.
• There are no formal policies or requirements for security training for University personnel.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that the University implement a more robust WISP, conduct a broader risk assessment, and begin documenting the current informally implemented practices in order to ensure appropriate compliance.
Views Of Responsible Officials: Harris-Stowe State University acknowledges the audit finding regarding noncompliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. In response, the University has collaborated with Omega Technical Solutions and iLeap Group to execute a comprehensive cybersecurity compliance and modernization initiative. As of the audit period close, over 90% of related deficiencies have been remediated.
Specific corrective actions taken or underway include:
1. Written Information Security Program (WISP): A formal WISP has been developed and implemented. It outlines oversight structures, risk management strategies, testing protocols, and required safeguards in alignment with 16 CFR 314.4.
2. Risk Assessment: A comprehensive risk scorecard was created. All Active Directory accounts were reviewed and flagged for deactivation or role reassignment as appropriate.
3. Access and Encryption Controls: Encryption is now deployed across all active endpoints. Logical access control and encryption policies have been adopted and published. Multi-factor authentication (MFA) is enforced for all systems handling student data.
4. Account Management and Role-Based Access: RBAC policies have been established and account provisioning is now formally documented and managed.
5. Retention, Change Management, and Training: A written data retention policy and formal change management procedures are now in place. An onboarding cybersecurity training program has been developed, with full implementation scheduled by August 31, 2025.
6. Legacy Server Risk Mitigation: One legacy Microsoft 2008 server has failed and is decommissioned. The remaining server is isolated, monitored with NIST- and Microsoft Sentinel-aligned tools, and pending full replacement as part of the upcoming infrastructure upgrade.
7. Ongoing Monitoring and Vendor Oversight: TCPM-aligned monitoring practices and vendor oversight protocols are now active and included in the WISP framework.
The University’s IT Security SharePoint site houses all related documentation and is structured to support transparency, audit readiness, and continued compliance oversight.
Finding 2024-008 - Material Weakness: Special Tests and Provisions - Compliance and Control Finding
Student Financial Aid Cluster
Federal Agency: U.S. Department of Education
Federal Award Number: 84.007, 84.033, 84.063, 84.379 and 84.268
Pass-Through Entity: None
Criteria Or Specific Requirement: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021, and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the Written Information Security Program (WISP) required to be established by the University. The requirements for the WISP noted at 16 CFR 314.4 require that the University designate a Qualified Individual responsible for overseeing and implementing the University’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• In addition, the University is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the WISP. The University is also responsible for documenting in the WISP how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the University’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the University’s information security program.
Condition: The current state of the University’s Information Security Program is not in compliance with the regulatory obligation.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The failure to meet the requirements of the FTC Safeguards Rule could make the University vulnerable to cyber security and student data protection risks.
Questioned Costs: Not applicable.
Context: We inquired with the University personnel regarding GLBA regulations and noted the following:
• There is currently no written information security program in place.
• The University has not conducted risk assessments specifically addressing risks related to student data.
• Third-party cloud providers, which implement security practices, are utilized to protect student data. These providers encrypt student data when stored on cloud platforms; however, the University does not currently use encryption for local servers or endpoints. Furthermore, there are no established policies regarding encryption.
• There are no documented policies governing physical or logical access controls.
• Account management practices are informal, with no formal processes or policies in place.
• Multi-factor authentication is not required for access to student data, except for email, and no compensating controls have been implemented.
• A written data retention policy has not been established.
• There is no formal change management process or policy currently in place.
• There are no formal policies or requirements for security training for University personnel.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that the University implement a more robust WISP, conduct a broader risk assessment, and begin documenting the current informally implemented practices in order to ensure appropriate compliance.
Views Of Responsible Officials: Harris-Stowe State University acknowledges the audit finding regarding noncompliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. In response, the University has collaborated with Omega Technical Solutions and iLeap Group to execute a comprehensive cybersecurity compliance and modernization initiative. As of the audit period close, over 90% of related deficiencies have been remediated.
Specific corrective actions taken or underway include:
1. Written Information Security Program (WISP): A formal WISP has been developed and implemented. It outlines oversight structures, risk management strategies, testing protocols, and required safeguards in alignment with 16 CFR 314.4.
2. Risk Assessment: A comprehensive risk scorecard was created. All Active Directory accounts were reviewed and flagged for deactivation or role reassignment as appropriate.
3. Access and Encryption Controls: Encryption is now deployed across all active endpoints. Logical access control and encryption policies have been adopted and published. Multi-factor authentication (MFA) is enforced for all systems handling student data.
4. Account Management and Role-Based Access: RBAC policies have been established and account provisioning is now formally documented and managed.
5. Retention, Change Management, and Training: A written data retention policy and formal change management procedures are now in place. An onboarding cybersecurity training program has been developed, with full implementation scheduled by August 31, 2025.
6. Legacy Server Risk Mitigation: One legacy Microsoft 2008 server has failed and is decommissioned. The remaining server is isolated, monitored with NIST- and Microsoft Sentinel-aligned tools, and pending full replacement as part of the upcoming infrastructure upgrade.
7. Ongoing Monitoring and Vendor Oversight: TCPM-aligned monitoring practices and vendor oversight protocols are now active and included in the WISP framework.
The University’s IT Security SharePoint site houses all related documentation and is structured to support transparency, audit readiness, and continued compliance oversight.
Finding 2024-008 - Material Weakness: Special Tests and Provisions - Compliance and Control Finding
Student Financial Aid Cluster
Federal Agency: U.S. Department of Education
Federal Award Number: 84.007, 84.033, 84.063, 84.379 and 84.268
Pass-Through Entity: None
Criteria Or Specific Requirement: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021, and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the Written Information Security Program (WISP) required to be established by the University. The requirements for the WISP noted at 16 CFR 314.4 require that the University designate a Qualified Individual responsible for overseeing and implementing the University’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• In addition, the University is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the WISP. The University is also responsible for documenting in the WISP how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the University’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the University’s information security program.
Condition: The current state of the University’s Information Security Program is not in compliance with the regulatory obligation.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The failure to meet the requirements of the FTC Safeguards Rule could make the University vulnerable to cyber security and student data protection risks.
Questioned Costs: Not applicable.
Context: We inquired with the University personnel regarding GLBA regulations and noted the following:
• There is currently no written information security program in place.
• The University has not conducted risk assessments specifically addressing risks related to student data.
• Third-party cloud providers, which implement security practices, are utilized to protect student data. These providers encrypt student data when stored on cloud platforms; however, the University does not currently use encryption for local servers or endpoints. Furthermore, there are no established policies regarding encryption.
• There are no documented policies governing physical or logical access controls.
• Account management practices are informal, with no formal processes or policies in place.
• Multi-factor authentication is not required for access to student data, except for email, and no compensating controls have been implemented.
• A written data retention policy has not been established.
• There is no formal change management process or policy currently in place.
• There are no formal policies or requirements for security training for University personnel.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that the University implement a more robust WISP, conduct a broader risk assessment, and begin documenting the current informally implemented practices in order to ensure appropriate compliance.
Views Of Responsible Officials: Harris-Stowe State University acknowledges the audit finding regarding noncompliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. In response, the University has collaborated with Omega Technical Solutions and iLeap Group to execute a comprehensive cybersecurity compliance and modernization initiative. As of the audit period close, over 90% of related deficiencies have been remediated.
Specific corrective actions taken or underway include:
1. Written Information Security Program (WISP): A formal WISP has been developed and implemented. It outlines oversight structures, risk management strategies, testing protocols, and required safeguards in alignment with 16 CFR 314.4.
2. Risk Assessment: A comprehensive risk scorecard was created. All Active Directory accounts were reviewed and flagged for deactivation or role reassignment as appropriate.
3. Access and Encryption Controls: Encryption is now deployed across all active endpoints. Logical access control and encryption policies have been adopted and published. Multi-factor authentication (MFA) is enforced for all systems handling student data.
4. Account Management and Role-Based Access: RBAC policies have been established and account provisioning is now formally documented and managed.
5. Retention, Change Management, and Training: A written data retention policy and formal change management procedures are now in place. An onboarding cybersecurity training program has been developed, with full implementation scheduled by August 31, 2025.
6. Legacy Server Risk Mitigation: One legacy Microsoft 2008 server has failed and is decommissioned. The remaining server is isolated, monitored with NIST- and Microsoft Sentinel-aligned tools, and pending full replacement as part of the upcoming infrastructure upgrade.
7. Ongoing Monitoring and Vendor Oversight: TCPM-aligned monitoring practices and vendor oversight protocols are now active and included in the WISP framework.
The University’s IT Security SharePoint site houses all related documentation and is structured to support transparency, audit readiness, and continued compliance oversight.
Finding 2024-008 - Material Weakness: Special Tests and Provisions - Compliance and Control Finding
Student Financial Aid Cluster
Federal Agency: U.S. Department of Education
Federal Award Number: 84.007, 84.033, 84.063, 84.379 and 84.268
Pass-Through Entity: None
Criteria Or Specific Requirement: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021, and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the Written Information Security Program (WISP) required to be established by the University. The requirements for the WISP noted at 16 CFR 314.4 require that the University designate a Qualified Individual responsible for overseeing and implementing the University’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• In addition, the University is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the WISP. The University is also responsible for documenting in the WISP how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the University’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the University’s information security program.
Condition: The current state of the University’s Information Security Program is not in compliance with the regulatory obligation.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The failure to meet the requirements of the FTC Safeguards Rule could make the University vulnerable to cyber security and student data protection risks.
Questioned Costs: Not applicable.
Context: We inquired with the University personnel regarding GLBA regulations and noted the following:
• There is currently no written information security program in place.
• The University has not conducted risk assessments specifically addressing risks related to student data.
• Third-party cloud providers, which implement security practices, are utilized to protect student data. These providers encrypt student data when stored on cloud platforms; however, the University does not currently use encryption for local servers or endpoints. Furthermore, there are no established policies regarding encryption.
• There are no documented policies governing physical or logical access controls.
• Account management practices are informal, with no formal processes or policies in place.
• Multi-factor authentication is not required for access to student data, except for email, and no compensating controls have been implemented.
• A written data retention policy has not been established.
• There is no formal change management process or policy currently in place.
• There are no formal policies or requirements for security training for University personnel.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that the University implement a more robust WISP, conduct a broader risk assessment, and begin documenting the current informally implemented practices in order to ensure appropriate compliance.
Views Of Responsible Officials: Harris-Stowe State University acknowledges the audit finding regarding noncompliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. In response, the University has collaborated with Omega Technical Solutions and iLeap Group to execute a comprehensive cybersecurity compliance and modernization initiative. As of the audit period close, over 90% of related deficiencies have been remediated.
Specific corrective actions taken or underway include:
1. Written Information Security Program (WISP): A formal WISP has been developed and implemented. It outlines oversight structures, risk management strategies, testing protocols, and required safeguards in alignment with 16 CFR 314.4.
2. Risk Assessment: A comprehensive risk scorecard was created. All Active Directory accounts were reviewed and flagged for deactivation or role reassignment as appropriate.
3. Access and Encryption Controls: Encryption is now deployed across all active endpoints. Logical access control and encryption policies have been adopted and published. Multi-factor authentication (MFA) is enforced for all systems handling student data.
4. Account Management and Role-Based Access: RBAC policies have been established and account provisioning is now formally documented and managed.
5. Retention, Change Management, and Training: A written data retention policy and formal change management procedures are now in place. An onboarding cybersecurity training program has been developed, with full implementation scheduled by August 31, 2025.
6. Legacy Server Risk Mitigation: One legacy Microsoft 2008 server has failed and is decommissioned. The remaining server is isolated, monitored with NIST- and Microsoft Sentinel-aligned tools, and pending full replacement as part of the upcoming infrastructure upgrade.
7. Ongoing Monitoring and Vendor Oversight: TCPM-aligned monitoring practices and vendor oversight protocols are now active and included in the WISP framework.
The University’s IT Security SharePoint site houses all related documentation and is structured to support transparency, audit readiness, and continued compliance oversight.
Finding 2024-008 - Material Weakness: Special Tests and Provisions - Compliance and Control Finding
Student Financial Aid Cluster
Federal Agency: U.S. Department of Education
Federal Award Number: 84.007, 84.033, 84.063, 84.379 and 84.268
Pass-Through Entity: None
Criteria Or Specific Requirement: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021, and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the Written Information Security Program (WISP) required to be established by the University. The requirements for the WISP noted at 16 CFR 314.4 require that the University designate a Qualified Individual responsible for overseeing and implementing the University’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• In addition, the University is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the WISP. The University is also responsible for documenting in the WISP how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the University’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the University’s information security program.
Condition: The current state of the University’s Information Security Program is not in compliance with the regulatory obligation.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The failure to meet the requirements of the FTC Safeguards Rule could make the University vulnerable to cyber security and student data protection risks.
Questioned Costs: Not applicable.
Context: We inquired with the University personnel regarding GLBA regulations and noted the following:
• There is currently no written information security program in place.
• The University has not conducted risk assessments specifically addressing risks related to student data.
• Third-party cloud providers, which implement security practices, are utilized to protect student data. These providers encrypt student data when stored on cloud platforms; however, the University does not currently use encryption for local servers or endpoints. Furthermore, there are no established policies regarding encryption.
• There are no documented policies governing physical or logical access controls.
• Account management practices are informal, with no formal processes or policies in place.
• Multi-factor authentication is not required for access to student data, except for email, and no compensating controls have been implemented.
• A written data retention policy has not been established.
• There is no formal change management process or policy currently in place.
• There are no formal policies or requirements for security training for University personnel.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that the University implement a more robust WISP, conduct a broader risk assessment, and begin documenting the current informally implemented practices in order to ensure appropriate compliance.
Views Of Responsible Officials: Harris-Stowe State University acknowledges the audit finding regarding noncompliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. In response, the University has collaborated with Omega Technical Solutions and iLeap Group to execute a comprehensive cybersecurity compliance and modernization initiative. As of the audit period close, over 90% of related deficiencies have been remediated.
Specific corrective actions taken or underway include:
1. Written Information Security Program (WISP): A formal WISP has been developed and implemented. It outlines oversight structures, risk management strategies, testing protocols, and required safeguards in alignment with 16 CFR 314.4.
2. Risk Assessment: A comprehensive risk scorecard was created. All Active Directory accounts were reviewed and flagged for deactivation or role reassignment as appropriate.
3. Access and Encryption Controls: Encryption is now deployed across all active endpoints. Logical access control and encryption policies have been adopted and published. Multi-factor authentication (MFA) is enforced for all systems handling student data.
4. Account Management and Role-Based Access: RBAC policies have been established and account provisioning is now formally documented and managed.
5. Retention, Change Management, and Training: A written data retention policy and formal change management procedures are now in place. An onboarding cybersecurity training program has been developed, with full implementation scheduled by August 31, 2025.
6. Legacy Server Risk Mitigation: One legacy Microsoft 2008 server has failed and is decommissioned. The remaining server is isolated, monitored with NIST- and Microsoft Sentinel-aligned tools, and pending full replacement as part of the upcoming infrastructure upgrade.
7. Ongoing Monitoring and Vendor Oversight: TCPM-aligned monitoring practices and vendor oversight protocols are now active and included in the WISP framework.
The University’s IT Security SharePoint site houses all related documentation and is structured to support transparency, audit readiness, and continued compliance oversight.
Finding 2024-008 - Material Weakness: Special Tests and Provisions - Compliance and Control Finding
Student Financial Aid Cluster
Federal Agency: U.S. Department of Education
Federal Award Number: 84.007, 84.033, 84.063, 84.379 and 84.268
Pass-Through Entity: None
Criteria Or Specific Requirement: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021, and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the Written Information Security Program (WISP) required to be established by the University. The requirements for the WISP noted at 16 CFR 314.4 require that the University designate a Qualified Individual responsible for overseeing and implementing the University’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• In addition, the University is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the WISP. The University is also responsible for documenting in the WISP how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the University’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the University’s information security program.
Condition: The current state of the University’s Information Security Program is not in compliance with the regulatory obligation.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The failure to meet the requirements of the FTC Safeguards Rule could make the University vulnerable to cyber security and student data protection risks.
Questioned Costs: Not applicable.
Context: We inquired with the University personnel regarding GLBA regulations and noted the following:
• There is currently no written information security program in place.
• The University has not conducted risk assessments specifically addressing risks related to student data.
• Third-party cloud providers, which implement security practices, are utilized to protect student data. These providers encrypt student data when stored on cloud platforms; however, the University does not currently use encryption for local servers or endpoints. Furthermore, there are no established policies regarding encryption.
• There are no documented policies governing physical or logical access controls.
• Account management practices are informal, with no formal processes or policies in place.
• Multi-factor authentication is not required for access to student data, except for email, and no compensating controls have been implemented.
• A written data retention policy has not been established.
• There is no formal change management process or policy currently in place.
• There are no formal policies or requirements for security training for University personnel.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that the University implement a more robust WISP, conduct a broader risk assessment, and begin documenting the current informally implemented practices in order to ensure appropriate compliance.
Views Of Responsible Officials: Harris-Stowe State University acknowledges the audit finding regarding noncompliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. In response, the University has collaborated with Omega Technical Solutions and iLeap Group to execute a comprehensive cybersecurity compliance and modernization initiative. As of the audit period close, over 90% of related deficiencies have been remediated.
Specific corrective actions taken or underway include:
1. Written Information Security Program (WISP): A formal WISP has been developed and implemented. It outlines oversight structures, risk management strategies, testing protocols, and required safeguards in alignment with 16 CFR 314.4.
2. Risk Assessment: A comprehensive risk scorecard was created. All Active Directory accounts were reviewed and flagged for deactivation or role reassignment as appropriate.
3. Access and Encryption Controls: Encryption is now deployed across all active endpoints. Logical access control and encryption policies have been adopted and published. Multi-factor authentication (MFA) is enforced for all systems handling student data.
4. Account Management and Role-Based Access: RBAC policies have been established and account provisioning is now formally documented and managed.
5. Retention, Change Management, and Training: A written data retention policy and formal change management procedures are now in place. An onboarding cybersecurity training program has been developed, with full implementation scheduled by August 31, 2025.
6. Legacy Server Risk Mitigation: One legacy Microsoft 2008 server has failed and is decommissioned. The remaining server is isolated, monitored with NIST- and Microsoft Sentinel-aligned tools, and pending full replacement as part of the upcoming infrastructure upgrade.
7. Ongoing Monitoring and Vendor Oversight: TCPM-aligned monitoring practices and vendor oversight protocols are now active and included in the WISP framework.
The University’s IT Security SharePoint site houses all related documentation and is structured to support transparency, audit readiness, and continued compliance oversight.
Finding 2024-006 – Significant Deficiency: Allowable Costs and Activities – Control Finding
ALN 84.042 – Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound – TRIO Cluster
Federal Agency: U.S. Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued)
For The Year Ended June 30, 2024
ALN 84.031 - Title III - Higher Education – Institutional Aid
Federal Agency: U.S. Department of Education
Federal Award Numbers: P031B170058 and P031E200062
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: We noted through procedures performed that payroll costs were not charged to the grant in accordance with the time and effort certification.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: TRIO Cluster - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 64% should have been allocated. In addition, three individual costs in the sample lacked appropriate review and approval for the charges applied to the grant. This indicates that the control over compliance was not operating effectively.
Title III - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 89% should have been allocated. This indicates that the control over compliance was not operating effectively.
Identification As A Repeat Finding: Not applicable
Recommendation: We recommend that management review the internal controls over allowable costs and activities to ensure the control is designed to ensure the correct amount of salaries are charged to the grant based on the approved time and effort certifications.
Views Of Responsible Officials: Payroll charges to federal programs must match certified time and effort documentation. The Director of Sponsored Programs, the Director of Title III, and the Grant Accountant will jointly review allocations before payrolls are processed. Monthly reports will be generated for review by the Grant Accountant, and discrepancies must be corrected within 30 days.
Management will implement a formal review and approval process to ensure that all allowable costs are verified for compliance with applicable regulations and approved by designated personnel prior to reimbursement or payment.
Finding 2024-006 – Significant Deficiency: Allowable Costs and Activities – Control Finding
ALN 84.042 – Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound – TRIO Cluster
Federal Agency: U.S. Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued)
For The Year Ended June 30, 2024
ALN 84.031 - Title III - Higher Education – Institutional Aid
Federal Agency: U.S. Department of Education
Federal Award Numbers: P031B170058 and P031E200062
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: We noted through procedures performed that payroll costs were not charged to the grant in accordance with the time and effort certification.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: TRIO Cluster - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 64% should have been allocated. In addition, three individual costs in the sample lacked appropriate review and approval for the charges applied to the grant. This indicates that the control over compliance was not operating effectively.
Title III - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 89% should have been allocated. This indicates that the control over compliance was not operating effectively.
Identification As A Repeat Finding: Not applicable
Recommendation: We recommend that management review the internal controls over allowable costs and activities to ensure the control is designed to ensure the correct amount of salaries are charged to the grant based on the approved time and effort certifications.
Views Of Responsible Officials: Payroll charges to federal programs must match certified time and effort documentation. The Director of Sponsored Programs, the Director of Title III, and the Grant Accountant will jointly review allocations before payrolls are processed. Monthly reports will be generated for review by the Grant Accountant, and discrepancies must be corrected within 30 days.
Management will implement a formal review and approval process to ensure that all allowable costs are verified for compliance with applicable regulations and approved by designated personnel prior to reimbursement or payment.
Finding 2024-006 – Significant Deficiency: Allowable Costs and Activities – Control Finding
ALN 84.042 – Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound – TRIO Cluster
Federal Agency: U.S. Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued)
For The Year Ended June 30, 2024
ALN 84.031 - Title III - Higher Education – Institutional Aid
Federal Agency: U.S. Department of Education
Federal Award Numbers: P031B170058 and P031E200062
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: We noted through procedures performed that payroll costs were not charged to the grant in accordance with the time and effort certification.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: TRIO Cluster - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 64% should have been allocated. In addition, three individual costs in the sample lacked appropriate review and approval for the charges applied to the grant. This indicates that the control over compliance was not operating effectively.
Title III - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 89% should have been allocated. This indicates that the control over compliance was not operating effectively.
Identification As A Repeat Finding: Not applicable
Recommendation: We recommend that management review the internal controls over allowable costs and activities to ensure the control is designed to ensure the correct amount of salaries are charged to the grant based on the approved time and effort certifications.
Views Of Responsible Officials: Payroll charges to federal programs must match certified time and effort documentation. The Director of Sponsored Programs, the Director of Title III, and the Grant Accountant will jointly review allocations before payrolls are processed. Monthly reports will be generated for review by the Grant Accountant, and discrepancies must be corrected within 30 days.
Management will implement a formal review and approval process to ensure that all allowable costs are verified for compliance with applicable regulations and approved by designated personnel prior to reimbursement or payment.
Finding 2024-006 – Significant Deficiency: Allowable Costs and Activities – Control Finding
ALN 84.042 – Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound – TRIO Cluster
Federal Agency: U.S. Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued)
For The Year Ended June 30, 2024
ALN 84.031 - Title III - Higher Education – Institutional Aid
Federal Agency: U.S. Department of Education
Federal Award Numbers: P031B170058 and P031E200062
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: We noted through procedures performed that payroll costs were not charged to the grant in accordance with the time and effort certification.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: TRIO Cluster - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 64% should have been allocated. In addition, three individual costs in the sample lacked appropriate review and approval for the charges applied to the grant. This indicates that the control over compliance was not operating effectively.
Title III - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 89% should have been allocated. This indicates that the control over compliance was not operating effectively.
Identification As A Repeat Finding: Not applicable
Recommendation: We recommend that management review the internal controls over allowable costs and activities to ensure the control is designed to ensure the correct amount of salaries are charged to the grant based on the approved time and effort certifications.
Views Of Responsible Officials: Payroll charges to federal programs must match certified time and effort documentation. The Director of Sponsored Programs, the Director of Title III, and the Grant Accountant will jointly review allocations before payrolls are processed. Monthly reports will be generated for review by the Grant Accountant, and discrepancies must be corrected within 30 days.
Management will implement a formal review and approval process to ensure that all allowable costs are verified for compliance with applicable regulations and approved by designated personnel prior to reimbursement or payment.
Finding 2024-006 – Significant Deficiency: Allowable Costs and Activities – Control Finding
ALN 84.042 – Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound – TRIO Cluster
Federal Agency: U.S. Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued)
For The Year Ended June 30, 2024
ALN 84.031 - Title III - Higher Education – Institutional Aid
Federal Agency: U.S. Department of Education
Federal Award Numbers: P031B170058 and P031E200062
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: We noted through procedures performed that payroll costs were not charged to the grant in accordance with the time and effort certification.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: TRIO Cluster - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 64% should have been allocated. In addition, three individual costs in the sample lacked appropriate review and approval for the charges applied to the grant. This indicates that the control over compliance was not operating effectively.
Title III - In a sample of 40 individual costs charged to the grant, one payroll item was found where 100% of an employee’s salary was charged to the grant, despite the time and effort certification indicating that only 89% should have been allocated. This indicates that the control over compliance was not operating effectively.
Identification As A Repeat Finding: Not applicable
Recommendation: We recommend that management review the internal controls over allowable costs and activities to ensure the control is designed to ensure the correct amount of salaries are charged to the grant based on the approved time and effort certifications.
Views Of Responsible Officials: Payroll charges to federal programs must match certified time and effort documentation. The Director of Sponsored Programs, the Director of Title III, and the Grant Accountant will jointly review allocations before payrolls are processed. Monthly reports will be generated for review by the Grant Accountant, and discrepancies must be corrected within 30 days.
Management will implement a formal review and approval process to ensure that all allowable costs are verified for compliance with applicable regulations and approved by designated personnel prior to reimbursement or payment.
Finding 2024-005 - Material Weakness: Cash Management - Control Finding
ALN 84.042 - Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound - TRIO Cluster
Federal Agency: Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: Based on the testing completed over the cash management compliance requirement, the University did not retain documentation of a second review of the cash drawdown to verify that the correct amount of funds are requested.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: During testing performed for cash management, for the 5 cash drawdowns reviewed, the draw down was completed without a second review. Statistical sampling was not used to test this compliance requirement
Identification As A Repeat Finding: 2022-004
Recommendation: We recommend that management put a control in place for a second review of the cash drawdown requests. The second review should be properly documented with the reviewer’s signature and the date the review was performed. The second review should be performed by someone other than the preparer and who has knowledge of the grant’s requirements
Views Of Responsible Officials: The University will enforce a review system for all federal drawdown requests. The Grant Accountant, Principal Investigator, and Comptroller will sign and date the drawdown documentation prior to submission. Review checklists will be used to validate expenditures against the general ledger support. Drawdowns are scheduled to be completed by the 15th of each month.
Finding 2024-005 - Material Weakness: Cash Management - Control Finding
ALN 84.042 - Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound - TRIO Cluster
Federal Agency: Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: Based on the testing completed over the cash management compliance requirement, the University did not retain documentation of a second review of the cash drawdown to verify that the correct amount of funds are requested.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: During testing performed for cash management, for the 5 cash drawdowns reviewed, the draw down was completed without a second review. Statistical sampling was not used to test this compliance requirement
Identification As A Repeat Finding: 2022-004
Recommendation: We recommend that management put a control in place for a second review of the cash drawdown requests. The second review should be properly documented with the reviewer’s signature and the date the review was performed. The second review should be performed by someone other than the preparer and who has knowledge of the grant’s requirements
Views Of Responsible Officials: The University will enforce a review system for all federal drawdown requests. The Grant Accountant, Principal Investigator, and Comptroller will sign and date the drawdown documentation prior to submission. Review checklists will be used to validate expenditures against the general ledger support. Drawdowns are scheduled to be completed by the 15th of each month.
Finding 2024-005 - Material Weakness: Cash Management - Control Finding
ALN 84.042 - Student Support Services, 84.044 – Talent Search and 84.047 – Upward Bound - TRIO Cluster
Federal Agency: Department of Education
Federal Award Numbers: P042A151026, P044A160377, and P047A170574
Pass-Through Entity: None
Criteria Or Specific Requirement: Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: Based on the testing completed over the cash management compliance requirement, the University did not retain documentation of a second review of the cash drawdown to verify that the correct amount of funds are requested.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: Not applicable.
Context: During testing performed for cash management, for the 5 cash drawdowns reviewed, the draw down was completed without a second review. Statistical sampling was not used to test this compliance requirement
Identification As A Repeat Finding: 2022-004
Recommendation: We recommend that management put a control in place for a second review of the cash drawdown requests. The second review should be properly documented with the reviewer’s signature and the date the review was performed. The second review should be performed by someone other than the preparer and who has knowledge of the grant’s requirements
Views Of Responsible Officials: The University will enforce a review system for all federal drawdown requests. The Grant Accountant, Principal Investigator, and Comptroller will sign and date the drawdown documentation prior to submission. Review checklists will be used to validate expenditures against the general ledger support. Drawdowns are scheduled to be completed by the 15th of each month.
Finding 2024-007 - Material Weakness: Allowable Costs and Activities – Compliance and Control Finding
ALN 84.116 – Fund for the Improvement of Postsecondary Education
Federal Agency: U.S. Department of Education
Federal Award Numbers: P116Z230322 and P116Z220015
Pass-Through Entity: None
Criteria Or Specific Requirement: 2 CFR section 200.403 requires adequate documentation for allowable activities and costs and 2 CFR section 200.403(e) requires charges to the grant to be in accordance with generally accepted accounting principles (GAAP). Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: We noted through procedures performed that costs were not supported by adequate documentation and costs were not charged to the grant in accordance with GAAP. Internal controls designed for this federal program did not detect these errors.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: $34,890 of known questioned costs were identified in our testing sample Likely questioned costs exceed $25,000.
Context: In a sample of 40 individual costs charged to the grant, the following occurred:
• A charge of $3,000 was recorded against the grant but was supported by documentation totaling only $621.
• A charge of $32,511 was recorded as an expense to the grant, although the amount related to prepaid costs for future services or benefits that had not yet been incurred.
• In addition, 31 individual costs in the sample lacked appropriate review and approval for the charges applied to the grant.
Identification As A Repeat Finding: Not applicable
Recommendation: We recommend that management review the internal controls over allowable costs and activities to ensure the control is designed to ensure the correct amount of salaries are charged to the grant based on the approved time and effort certifications.
Views Of Responsible Officials: All expenses must be supported by documentation and comply with Generally Accepted Accounting Principles (GAAP) standards. A pre-review checklist will be required for all charges against FIPSE grants. Prepaid items must be recorded in the prepaid ledger and amortized appropriately. Documentation will be retained in alignment with the University Record Retention policy.
Management will implement a formal review and approval process to ensure that all allowable costs are verified for compliance with applicable regulations and approved by designated personnel prior to reimbursement or payment.
Finding 2024-007 - Material Weakness: Allowable Costs and Activities – Compliance and Control Finding
ALN 84.116 – Fund for the Improvement of Postsecondary Education
Federal Agency: U.S. Department of Education
Federal Award Numbers: P116Z230322 and P116Z220015
Pass-Through Entity: None
Criteria Or Specific Requirement: 2 CFR section 200.403 requires adequate documentation for allowable activities and costs and 2 CFR section 200.403(e) requires charges to the grant to be in accordance with generally accepted accounting principles (GAAP). Uniform Guidance requires that controls over compliance be properly designed, in place and operating effectively to ensure compliance with the requirements of the federal programs.
Condition: We noted through procedures performed that costs were not supported by adequate documentation and costs were not charged to the grant in accordance with GAAP. Internal controls designed for this federal program did not detect these errors.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The possibility exists that noncompliance with federal requirements could go undetected without proper controls over compliance.
Questioned Costs: $34,890 of known questioned costs were identified in our testing sample Likely questioned costs exceed $25,000.
Context: In a sample of 40 individual costs charged to the grant, the following occurred:
• A charge of $3,000 was recorded against the grant but was supported by documentation totaling only $621.
• A charge of $32,511 was recorded as an expense to the grant, although the amount related to prepaid costs for future services or benefits that had not yet been incurred.
• In addition, 31 individual costs in the sample lacked appropriate review and approval for the charges applied to the grant.
Identification As A Repeat Finding: Not applicable
Recommendation: We recommend that management review the internal controls over allowable costs and activities to ensure the control is designed to ensure the correct amount of salaries are charged to the grant based on the approved time and effort certifications.
Views Of Responsible Officials: All expenses must be supported by documentation and comply with Generally Accepted Accounting Principles (GAAP) standards. A pre-review checklist will be required for all charges against FIPSE grants. Prepaid items must be recorded in the prepaid ledger and amortized appropriately. Documentation will be retained in alignment with the University Record Retention policy.
Management will implement a formal review and approval process to ensure that all allowable costs are verified for compliance with applicable regulations and approved by designated personnel prior to reimbursement or payment.
Finding 2024-004 - Material Weakness: Schedule of Expenditures of Federal Awards – Control Finding
ALN 21.027 – COVID-19 – Coronavirus State And Local Fiscal Recovery Funds
Federal Agency: U.S. Department of Treasury
Federal Award Number: PA4HS
Pass-Through Entity: Missouri Department of Higher Education and Workforce Development
ALN 84.116 – Fund For The Improvement Of Postsecondary Education
Federal Agency: U.S. Department of Education
Federal Award Numbers: P116Z230322 and P116Z220015
Pass-Through Entity: None
ALN 11.307 – Economic Adjustment Assistance
Federal Agency: U.S. Department of Commerce
Federal Award Number: N/A
Pass-Through Entity: Bio-STL
Criteria Or Specific Requirement: 2 CFR Section 200.510 states that the auditee must prepare the schedule of expenditures of federal awards (SEFA or “Schedule”) and the Schedule must provide total awards expended for each individual ALN.
Condition: During the audit, the following corrections were made to the SEFA:
• Federal expenditures totaling $4,892,149 were classified under the wrong program ALN. The reclassification of these expenditures resulted in a change to the major program determination.
• Federal expenditures totaling $181,184 were not included on the SEFA.
• Federal expenditures were adjusted by $1,933,710 to accrue reimbursable expenditures related to fiscal year 2024.
The Schedule provided did not identify amounts passed through to subrecipients.
Cause: Management does not have an internal control process in place to ensure an accurate schedule.
Effect: The possibility exists that errors within the Schedule could become material to the financial statements or result in an incorrect major program determination.
Questioned Costs: Not applicable.
Context: A sufficient review of the Schedule did not occur so errors were not detected.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that management assign the review of the SEFA to an individual that is knowledgeable about federal grants. In addition, grant agreements should be retained in a central repository to aid in the review of the SEFA. Lastly, the CFO should perform a year-over-year comparison of the SEFA by ALN and make inquiries of agencies regarding significant variances.
Views Of Responsible Officials: The Grant Accountant, in collaboration with the Comptroller and Director of Sponsored Programs, will compile SEFA data on a quarterly basis and reconcile it against CX reports. The Sponsored Programs Director will verify all Assistance Listing Numbers (ALNs), subrecipient amounts, and accruals. Documentation of all federal awards and drawdowns will be maintained in a centralized repository for internal and audit access.
Finding 2024-004 - Material Weakness: Schedule of Expenditures of Federal Awards – Control Finding
ALN 21.027 – COVID-19 – Coronavirus State And Local Fiscal Recovery Funds
Federal Agency: U.S. Department of Treasury
Federal Award Number: PA4HS
Pass-Through Entity: Missouri Department of Higher Education and Workforce Development
ALN 84.116 – Fund For The Improvement Of Postsecondary Education
Federal Agency: U.S. Department of Education
Federal Award Numbers: P116Z230322 and P116Z220015
Pass-Through Entity: None
ALN 11.307 – Economic Adjustment Assistance
Federal Agency: U.S. Department of Commerce
Federal Award Number: N/A
Pass-Through Entity: Bio-STL
Criteria Or Specific Requirement: 2 CFR Section 200.510 states that the auditee must prepare the schedule of expenditures of federal awards (SEFA or “Schedule”) and the Schedule must provide total awards expended for each individual ALN.
Condition: During the audit, the following corrections were made to the SEFA:
• Federal expenditures totaling $4,892,149 were classified under the wrong program ALN. The reclassification of these expenditures resulted in a change to the major program determination.
• Federal expenditures totaling $181,184 were not included on the SEFA.
• Federal expenditures were adjusted by $1,933,710 to accrue reimbursable expenditures related to fiscal year 2024.
The Schedule provided did not identify amounts passed through to subrecipients.
Cause: Management does not have an internal control process in place to ensure an accurate schedule.
Effect: The possibility exists that errors within the Schedule could become material to the financial statements or result in an incorrect major program determination.
Questioned Costs: Not applicable.
Context: A sufficient review of the Schedule did not occur so errors were not detected.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that management assign the review of the SEFA to an individual that is knowledgeable about federal grants. In addition, grant agreements should be retained in a central repository to aid in the review of the SEFA. Lastly, the CFO should perform a year-over-year comparison of the SEFA by ALN and make inquiries of agencies regarding significant variances.
Views Of Responsible Officials: The Grant Accountant, in collaboration with the Comptroller and Director of Sponsored Programs, will compile SEFA data on a quarterly basis and reconcile it against CX reports. The Sponsored Programs Director will verify all Assistance Listing Numbers (ALNs), subrecipient amounts, and accruals. Documentation of all federal awards and drawdowns will be maintained in a centralized repository for internal and audit access.
Finding 2024-004 - Material Weakness: Schedule of Expenditures of Federal Awards – Control Finding
ALN 21.027 – COVID-19 – Coronavirus State And Local Fiscal Recovery Funds
Federal Agency: U.S. Department of Treasury
Federal Award Number: PA4HS
Pass-Through Entity: Missouri Department of Higher Education and Workforce Development
ALN 84.116 – Fund For The Improvement Of Postsecondary Education
Federal Agency: U.S. Department of Education
Federal Award Numbers: P116Z230322 and P116Z220015
Pass-Through Entity: None
ALN 11.307 – Economic Adjustment Assistance
Federal Agency: U.S. Department of Commerce
Federal Award Number: N/A
Pass-Through Entity: Bio-STL
Criteria Or Specific Requirement: 2 CFR Section 200.510 states that the auditee must prepare the schedule of expenditures of federal awards (SEFA or “Schedule”) and the Schedule must provide total awards expended for each individual ALN.
Condition: During the audit, the following corrections were made to the SEFA:
• Federal expenditures totaling $4,892,149 were classified under the wrong program ALN. The reclassification of these expenditures resulted in a change to the major program determination.
• Federal expenditures totaling $181,184 were not included on the SEFA.
• Federal expenditures were adjusted by $1,933,710 to accrue reimbursable expenditures related to fiscal year 2024.
The Schedule provided did not identify amounts passed through to subrecipients.
Cause: Management does not have an internal control process in place to ensure an accurate schedule.
Effect: The possibility exists that errors within the Schedule could become material to the financial statements or result in an incorrect major program determination.
Questioned Costs: Not applicable.
Context: A sufficient review of the Schedule did not occur so errors were not detected.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that management assign the review of the SEFA to an individual that is knowledgeable about federal grants. In addition, grant agreements should be retained in a central repository to aid in the review of the SEFA. Lastly, the CFO should perform a year-over-year comparison of the SEFA by ALN and make inquiries of agencies regarding significant variances.
Views Of Responsible Officials: The Grant Accountant, in collaboration with the Comptroller and Director of Sponsored Programs, will compile SEFA data on a quarterly basis and reconcile it against CX reports. The Sponsored Programs Director will verify all Assistance Listing Numbers (ALNs), subrecipient amounts, and accruals. Documentation of all federal awards and drawdowns will be maintained in a centralized repository for internal and audit access.
Finding 2024-004 - Material Weakness: Schedule of Expenditures of Federal Awards – Control Finding
ALN 21.027 – COVID-19 – Coronavirus State And Local Fiscal Recovery Funds
Federal Agency: U.S. Department of Treasury
Federal Award Number: PA4HS
Pass-Through Entity: Missouri Department of Higher Education and Workforce Development
ALN 84.116 – Fund For The Improvement Of Postsecondary Education
Federal Agency: U.S. Department of Education
Federal Award Numbers: P116Z230322 and P116Z220015
Pass-Through Entity: None
ALN 11.307 – Economic Adjustment Assistance
Federal Agency: U.S. Department of Commerce
Federal Award Number: N/A
Pass-Through Entity: Bio-STL
Criteria Or Specific Requirement: 2 CFR Section 200.510 states that the auditee must prepare the schedule of expenditures of federal awards (SEFA or “Schedule”) and the Schedule must provide total awards expended for each individual ALN.
Condition: During the audit, the following corrections were made to the SEFA:
• Federal expenditures totaling $4,892,149 were classified under the wrong program ALN. The reclassification of these expenditures resulted in a change to the major program determination.
• Federal expenditures totaling $181,184 were not included on the SEFA.
• Federal expenditures were adjusted by $1,933,710 to accrue reimbursable expenditures related to fiscal year 2024.
The Schedule provided did not identify amounts passed through to subrecipients.
Cause: Management does not have an internal control process in place to ensure an accurate schedule.
Effect: The possibility exists that errors within the Schedule could become material to the financial statements or result in an incorrect major program determination.
Questioned Costs: Not applicable.
Context: A sufficient review of the Schedule did not occur so errors were not detected.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that management assign the review of the SEFA to an individual that is knowledgeable about federal grants. In addition, grant agreements should be retained in a central repository to aid in the review of the SEFA. Lastly, the CFO should perform a year-over-year comparison of the SEFA by ALN and make inquiries of agencies regarding significant variances.
Views Of Responsible Officials: The Grant Accountant, in collaboration with the Comptroller and Director of Sponsored Programs, will compile SEFA data on a quarterly basis and reconcile it against CX reports. The Sponsored Programs Director will verify all Assistance Listing Numbers (ALNs), subrecipient amounts, and accruals. Documentation of all federal awards and drawdowns will be maintained in a centralized repository for internal and audit access.