Audit 371249

Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: SFA - 2025 Award Period: June 1, 2024 to May 31, 2025 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. In addition, regulations require that an institution make necessary corrections and return the records within 10 days for any roster files that don’t pass the NSLDS enrollment reporting edits. Condition: We noted that 1 out of 40 students tested did not have their enrollment date correctly reported in NSLDS. Questioned costs: None Context: The University did not have an effective process in place to report the enrollment date for students with student teaching that run beyond the December graduation date. Cause: The University’s processes and controls did not ensure that student enrollment dates were accurately reported for a subset of the student population. Effect: The NSLDS system is not updated with the accurate student information which can cause the students to not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.

Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two items missing entirely from the Written Information Security Program: o Dispose of customer information securely o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. Questioned costs: None Context: These GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from the WISP at the end of the fiscal year. Cause: There was a general lack of capacity in IT staffing to formally implement the WISP fully during the year. Effect: The student personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of responsible officials: There is no disagreement with the audit finding.

Federal Agency: National Science Foundation Federal Program Name: Research and Development Cluster Assistance Listing Number: 47.076 Federal Award Identification Number and Year: R&D - 2025 Award Period: June 1, 2024 to May 31, 2025 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations 2 CFR Part 200, Subpart E, requires that expenses be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principals (200.403(a)) and allocable to a particular Federal award or other cost objective if the goods or services involved are chargeable or assignable to the Federal award or cost objective in accordance with relative benefits received (200.405). Condition: We noted that one out of 8 items selected for period of performance was incorrectly coded to an R&D grant. Questioned costs: $100 Context: The University's review and internal controls over R&D grant charges did not identify an expense that had been incorrectly coded. Cause: The University’s processes and controls did not ensure that all expenses charged to R&D grants were valid R&D expenditures. Effect: An incorrect amount of R&D expenditures was drawn down. Repeat Finding: No Recommendation: We recommend that the University review its procedures around review and approval of R&D expenditures to ensure that only valid expenditures are reported. Views of responsible officials: There is no disagreement with the audit finding.