Audit 384637

2025-001: REPORTING Program: Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans Cluster Title: Student Financial Assistance Cluster Federal Assistance Listing Numbers: 84.007, 84.063, and 84.268 Federal Agency: U.S. Department of Education Type of Finding: Noncompliance (Other Matter), significant deficiency in internal control Compliance Requirement: L. Reporting Questioned Costs: N/A Repeat Finding: No Condition/Context: Total tuition and fees as reported in the FISAP report was $3,228,909 while the District’s underlying accounting records showed $2,883,823, for a difference of $345,086. Total Federal Pell grant expenditures were reported as $362,929 on the FISAP report while the underlying accounting records and schedule of expenditures of federal awards showed $408,614, for a difference of $45,685. Criteria: The Student Financial Assistance cluster requires that the District submit the Fiscal Operations Report and Application to Participate (FISAP) annually. The amount should agree to the underlying accounting records. Cause: The District did not have adequate policies and procedures in place to ensure that revenues and expenditures are reported properly. Effect: Information reported by the District was not accurate and is not in compliance with requirements of the grant. Recommendation: We recommend the District should establish policies and procedures to ensure that the amounts reported on the FISAP are accurate and agree to the underlying accounting records. View of Responsible Officials: The District concurs with this recommendation and will review its procedures over reporting to ensure amounts reported agree to the underlying records and data.

2025-002: SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT Program: Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans Cluster Title: Student Financial Assistance Cluster Federal Assistance Listing Numbers: 84.007, 84.063, and 84.268 Federal Agency: U.S. Department of Education Type of Finding: Noncompliance (Other Matter), significant deficiency in internal control Compliance Requirement: N. Special Tests and Provisions Questioned Costs: N/A Repeat Finding: No Condition/Context: During our review of the District’s information security policies and procedures, it was noted that the District did not have formally written information security policies and procedures. The District did not have a process to evaluate and maintain a data inventory, ensuring sensitive data is at a higher risk profile and prioritized for security protocols. The District did not limit administrative privileges to dedicated administrator accounts; instead systemadministrators utilized their administrative accounts for all their job function, rather than just the functions requiring higher levels of access. Criteria: Title IV-eligible institutions are subject to the Gramm-Leach-Bliley Act (the ‘‘Act’’). The Act requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ‘‘financial institutions’’ and subject to the Act because they appear to be significantly engaged in wiring funds to consumers. Institutions agree to comply with the Act in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs. Institutions are required to develop, implement and maintain a written comprehensive information security program. Cause: The District did not have adequate policies and procedures in place to ensure a formal information security policy was established which included activities to classify data and restrict access to administrator accounts and ensure sensitive data was safeguarded. Effect: Noncompliance with federal special tests and provisions and internal control weakness. Recommendation: We recommend the District establish policies and procedures over its information security protocols to ensure sensitive information is secured and data classification procedures are implemented. In addition, administrator accounts should have restricted access for security considerations. View of Responsible Officials: The District concurs with this recommendation and will review its policies and procedures over its information security process.