FAC Explorer

Audit 365437

FY End
2024-08-31
Total Expended
$13.17M
Findings
8
Programs
11
Organization: Rockland Community College (NY)
Year: 2024 Accepted: 2025-09-03
Auditor: Bonadio & CO LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
575392 2024-001 Material Weakness - N
575393 2024-001 Material Weakness - N
575394 2024-001 Material Weakness - N
575395 2024-001 Material Weakness - N
1151834 2024-001 Material Weakness - N
1151835 2024-001 Material Weakness - N
1151836 2024-001 Material Weakness - N
1151837 2024-001 Material Weakness - N

Programs

ALN Program Spent Major Findings
84.063 Federal Pell Grant Program $7.54M Yes 1
84.268 Federal Direct Student Loans $2.36M Yes 1
84.031 Higher Education Institutional Aid $368,660 Yes 0
84.042 Trio Student Support Services $283,831 - 0
59.037 Small Business Development Centers $217,472 - 0
84.007 Federal Supplemental Educational Opportunity Grants $193,917 Yes 1
64.027 Post-9/11 Veterans Educational Assistance $154,452 - 0
84.033 Federal Work-Study Program $77,008 Yes 1
84.335 Child Care Access Means Parents in School $73,225 - 0
17.245 Trade Adjustment Assistance $7,311 - 0
84.048 Career and Technical Education -- Basic Grants to States $7,077 - 0

Contacts

Name Title Type
JZSTJWXX8QN1 Jonathan Batista Auditee
8455744730 Karen Lynch Auditor
No contacts on file

Notes to SEFA

Title: BASIS OF PRESENTATION Accounting Policies: The accompanying schedule of expenditures of federal awards (SEFA) includes the federal grant activity of the Rockland Community College (College), under programs of the federal government for the year ended August 31, 2024. The information in this Schedule is presented in accordance with the requirements of Title U.S. Code of Federal Regulations part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, and it is not intended to and does not present the financial position, changes in net position, or cash flows for the College as a whole. The Schedule is presented using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: Indirect costs are included in the reported expenditures to the extent they are included in the financial reports used as the source for the expenditures presented. The College did not elect to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (SEFA) includes the federal grant activity of the Rockland Community College (College), under programs of the federal government for the year ended August 31, 2024. The information in this Schedule is presented in accordance with the requirements of Title U.S. Code of Federal Regulations part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, and it is not intended to and does not present the financial position, changes in net position, or cash flows for the College as a whole.
Title: BASIS OF ACCOUNTING Accounting Policies: The accompanying schedule of expenditures of federal awards (SEFA) includes the federal grant activity of the Rockland Community College (College), under programs of the federal government for the year ended August 31, 2024. The information in this Schedule is presented in accordance with the requirements of Title U.S. Code of Federal Regulations part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, and it is not intended to and does not present the financial position, changes in net position, or cash flows for the College as a whole. The Schedule is presented using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: Indirect costs are included in the reported expenditures to the extent they are included in the financial reports used as the source for the expenditures presented. The College did not elect to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. The Schedule is presented using generally accepted accounting principles, as described in the College’s basic financial statements.
Title: INDIRECT COSTS Accounting Policies: The accompanying schedule of expenditures of federal awards (SEFA) includes the federal grant activity of the Rockland Community College (College), under programs of the federal government for the year ended August 31, 2024. The information in this Schedule is presented in accordance with the requirements of Title U.S. Code of Federal Regulations part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, and it is not intended to and does not present the financial position, changes in net position, or cash flows for the College as a whole. The Schedule is presented using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: Indirect costs are included in the reported expenditures to the extent they are included in the financial reports used as the source for the expenditures presented. The College did not elect to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. Indirect costs are included in the reported expenditures to the extent they are included in the financial reports used as the source for the expenditures presented. The College did not elect to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance.
Title: MATCHING COSTS Accounting Policies: The accompanying schedule of expenditures of federal awards (SEFA) includes the federal grant activity of the Rockland Community College (College), under programs of the federal government for the year ended August 31, 2024. The information in this Schedule is presented in accordance with the requirements of Title U.S. Code of Federal Regulations part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, and it is not intended to and does not present the financial position, changes in net position, or cash flows for the College as a whole. The Schedule is presented using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: Indirect costs are included in the reported expenditures to the extent they are included in the financial reports used as the source for the expenditures presented. The College did not elect to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. Matching costs, i.e., the College’s share of certain program costs, are not included in the reported expenditures.
Title: SUBRECIPIENTS Accounting Policies: The accompanying schedule of expenditures of federal awards (SEFA) includes the federal grant activity of the Rockland Community College (College), under programs of the federal government for the year ended August 31, 2024. The information in this Schedule is presented in accordance with the requirements of Title U.S. Code of Federal Regulations part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, and it is not intended to and does not present the financial position, changes in net position, or cash flows for the College as a whole. The Schedule is presented using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: Indirect costs are included in the reported expenditures to the extent they are included in the financial reports used as the source for the expenditures presented. The College did not elect to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. No amounts were provided to subrecipients.

Finding Details

Finding 2024-001
Finding 2024-001 Student Financial Aid Cluster – Assistance Listing Numbers - 84.007, 84.063, 84.268; Federal Agency – U.S. Department of Education Grant Period – Year ended August 31, 2024; Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process.
Finding 2024-001
Finding 2024-001 Student Financial Aid Cluster – Assistance Listing Numbers - 84.007, 84.063, 84.268; Federal Agency – U.S. Department of Education Grant Period – Year ended August 31, 2024; Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process.
Finding 2024-001
Finding 2024-001 Student Financial Aid Cluster – Assistance Listing Numbers - 84.007, 84.063, 84.268; Federal Agency – U.S. Department of Education Grant Period – Year ended August 31, 2024; Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process.
Finding 2024-001
Finding 2024-001 Student Financial Aid Cluster – Assistance Listing Numbers - 84.007, 84.063, 84.268; Federal Agency – U.S. Department of Education Grant Period – Year ended August 31, 2024; Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process.
Finding 2024-001
Finding 2024-001 Student Financial Aid Cluster – Assistance Listing Numbers - 84.007, 84.063, 84.268; Federal Agency – U.S. Department of Education Grant Period – Year ended August 31, 2024; Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process.
Finding 2024-001
Finding 2024-001 Student Financial Aid Cluster – Assistance Listing Numbers - 84.007, 84.063, 84.268; Federal Agency – U.S. Department of Education Grant Period – Year ended August 31, 2024; Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process.
Finding 2024-001
Finding 2024-001 Student Financial Aid Cluster – Assistance Listing Numbers - 84.007, 84.063, 84.268; Federal Agency – U.S. Department of Education Grant Period – Year ended August 31, 2024; Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process.
Finding 2024-001
Finding 2024-001 Student Financial Aid Cluster – Assistance Listing Numbers - 84.007, 84.063, 84.268; Federal Agency – U.S. Department of Education Grant Period – Year ended August 31, 2024; Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process.