Audit 367160

2024-001 – Gramm-Leach-Bliley Act Assistance Listing Number: Various – U.S. Department of Education – Student Financial Assistance Cluster Criteria Under the University’s Program Participation Agreement and the Student Aid Internet Gateway Agreement, institutions must have the Gramm-Leach-Bliley Act (GLBA) safeguards in place, GLBA requirements are related to protecting student financial aid information, specifically information provided in support of the administration of Title IV federal student financial aid. GLBA safeguards include a documented formal risk assessment of specific areas and controls including those over monitoring of appropriate access levels to information systems. Condition The University has maintained a formal documented risk assessment to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information and assess the sufficiency of any safeguards in place to control these risks. In addition, controls over access to the financial aid information system lacked monitoring procedures to ensure appropriate access levels were maintained as users changed roles at the University. Context During our testing of the University’s IT system, we inquired if the University has performed a risk assessment that addresses the three required areas noted above. Although there appear to policies and procedures in place, we were unable to obtain written formal documentation relating to a risk assessment as required. As it relates to access controls the University does not periodically review users’ access with management to ensure appropriate access is maintained by employees who change roles within the University. Cause The University has not documented a formal risk assessment of key IT controls relating to the security of information and review of monitoring procedures related to access controls. Effect Information may be at risk of unauthorized disclosure, misuse, alteration, destruction or compromise of such information. Questioned Costs There were no questioned costs related to this finding. Recommendation We recommend that the University document a formal risk assessment, along with recommendations for remediation of any open items and/or deficiencies, including implementing a process to review access levels with management for active employees. Responsible Personnel Marcus D Walton Deputy Chief Operating Officer & CIO

2024-002 – Data Breach Reporting Assistance Listing Number: Various – U.S. Department of Education – Student Financial Assistance Cluster Criteria Under the University’s the Student Aid Internet Gateway Agreement, institutions must report actual data breaches as well as suspected data breaches. Institutions must report on the day that a data breach is detected or even suspected. Condition The University failed to report a data breach to the Department of Education, either on the day of detection or at any subsequent time. The breach involved a social engineering attack that happened to the institution’s third-party company, a platform provider, which led to the compromise of user accounts where attackers gained access to the personal identifiable data (PII) of five individuals employed by the University. One of those individuals had user access to the student information system at the time of the breach. Cause The University lacked policies, procedures, and guidelines around handling cybersecurity incidents relating to the Department of Education reporting requirements. Effect The breach was reported internally to management and actions were taken to identify the cause and reporting was made to the individuals concerning the breach however the Department of Education was not notified as required. Questioned Costs There were no questioned costs related to this finding. Recommendation The University should update policies, procedures, and guidelines around handling cybersecurity incidents relating to personally identifiable information (PII), in regards to the Department of Education reporting requirements. Responsible Personnel Marcus D Walton Deputy Chief Operating Officer & CIO

2024-003 – NSL Exit Interview Documentation Assistance Listing Number: 93.364 Nursing Student Loan program Criteria According to 42 CFR Part 57 § 57.310 (b), the regulations require a school to conduct and document an exit interview with its borrowers. If a borrower fails to appear for an exit interview, the school must attempt to conduct the exit interview by mailing the exit interview information to the borrower. If the borrower fails to return the information, the school must maintain in the borrower’s file a copy of the repayment terms sent to the borrower and the date the exit interview information was mailed as documentation of the contact. Condition/Context The University did not properly maintain documentation of exit interviews and did not have signed Truth in Lending Statements on file for 5 of the 7 students selected for testing. Effect Documentation was not maintained and as such students may not have received appropriate repayment and other information related to their loans outstanding. Questioned Costs There were no questioned costs related to this finding. Recommendation The University should update policies, procedures, and guidelines around handling of exit interviews and related documentation if a student does not appear in person for the interview. Regulations should be reviewed to create a list of the necessary documents to be maintained by the school. Responsible Personnel Tony Baraghimian Deputy CFO & Controller