Audit 368028

Information on the Federal Program - Federal Pell Grant Program (ALN: 84.063) and Federal Direct Stafford Loans (ALN: 84.268) Criteria or Specific Requirement – N. Special Tests and Provisions - The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers. Under an institution’s Program Participation Agreement with the Department of Education (ED) and the GLBA, institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the federal student financial aid programs. Accordingly, institutions are required to develop, implement, and maintain a written comprehensive information security program. Condition – During our audit procedures, we noted that Centra’s written information security program did not entirely meet all minimum requirements of the GLBA and therefore was not fully in compliance with the requirement. Cause – Insufficient internal controls and administrative oversight with respect to the Special tests and provisions (N) compliance requirement. Effect or Potential Effect – Centra is not fully in compliance with the GLBA requirement for the year ended December 31, 2024. Questioned Costs – None. Context – Centra had designated a qualified individual responsible for overseeing and implementing and enforcing an information security program (16 CFR 314.4(a)) and have completed the risk assessment (16 CFR 314.4(b)), as required by the GLBA. However, the remaining five elements of the GLBA (16 CFR 314.4(c)–(g)) were still in process of being implemented as of December 31, 2024. As of December 31, 2024, five of the seven elements were partially implemented. Repeat Finding – This is a repeat of prior year finding 2023-001. Recommendation - We recommend that Centra maintain appropriate internal controls and administrative oversight in order to fully comply with the GLBA requirements of 16 CFR 314.4(c)–(g). Such would include (i) assessment, design, and implementation of safeguards; (ii) regularly test and monitor the safeguards; (iii) ensure ability to enact the information security program; (iv) oversee service providers and (v) adjust in light of results of testing and monitoring. Views of Responsible Officials – Centra management agrees with this finding and is in process of implementing a corrective action plan.

Information on the Federal Program - Federal Pell Grant Program (ALN: 84.063) and Federal Direct Stafford Loans (ALN: 84.268) Criteria or Specific Requirement – N. Special Tests and Provisions - The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers. Under an institution’s Program Participation Agreement with the Department of Education (ED) and the GLBA, institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the federal student financial aid programs. Accordingly, institutions are required to develop, implement, and maintain a written comprehensive information security program. Condition – During our audit procedures, we noted that Centra’s written information security program did not entirely meet all minimum requirements of the GLBA and therefore was not fully in compliance with the requirement. Cause – Insufficient internal controls and administrative oversight with respect to the Special tests and provisions (N) compliance requirement. Effect or Potential Effect – Centra is not fully in compliance with the GLBA requirement for the year ended December 31, 2024. Questioned Costs – None. Context – Centra had designated a qualified individual responsible for overseeing and implementing and enforcing an information security program (16 CFR 314.4(a)) and have completed the risk assessment (16 CFR 314.4(b)), as required by the GLBA. However, the remaining five elements of the GLBA (16 CFR 314.4(c)–(g)) were still in process of being implemented as of December 31, 2024. As of December 31, 2024, five of the seven elements were partially implemented. Repeat Finding – This is a repeat of prior year finding 2023-001. Recommendation - We recommend that Centra maintain appropriate internal controls and administrative oversight in order to fully comply with the GLBA requirements of 16 CFR 314.4(c)–(g). Such would include (i) assessment, design, and implementation of safeguards; (ii) regularly test and monitor the safeguards; (iii) ensure ability to enact the information security program; (iv) oversee service providers and (v) adjust in light of results of testing and monitoring. Views of Responsible Officials – Centra management agrees with this finding and is in process of implementing a corrective action plan.