Federal Program: Student Financial Aid Cluster Type of Finding: Significant Deficiency in Internal Control Over Compliance and Other Matters Federal Agency: Department of Education ALN Number: 84.063, 84.268, 84.033, 84.007 Criteria: Federal regulations require institutions to correctly calculate and disburse Pell Grant awards: Institutions must follow Title IV calculation and disbursement procedures. When an overpayment results from the institution’s failure to follow required procedures, the institution is liable, and must restore the overpaid amount to its Pell Grant Program account. Schools must package and disburse Title IV aid in compliance with the Federal Student Aid Handbook, including correcting over-awards and ensuring accurate Pell awards. Condition: During our audit of the College’s administration of Federal Pell Grants for the 2024–2025 award year, we noted an error in one of our sample selections that identified a system error in the financial aid system’s Pell calculation that resulted in incorrect disbursements for some students. Based on the College’s subsequent full-population analysis, eleven students received incorrect Pell Grant amounts. The College recalculated Pell Grant eligibility for affected students and prepared corrected award amounts. At the time of our testing, corrective actions had been initiated but were not yet complete. Cause: Due to a change in the way Pell awards are derived in conjunction with systems limitations, the College disbursed Pell amounts using an outdated calculation, wherein amounts disbursed did not agree to amounts awarded under the new calculation. This error was not detected through routine reconciliation or quality-control reviews. Context and Effect The error resulted in both overpayments and underpayments of Pell Grant funds. The College is at risk of: Being financially liable for Pell Grant overpayments attributable to institutional error, as defined by federal regulation. Students being temporarily underpaid, delaying access to entitled Title IV funds. Increased risk of noncompliance with Title IV requirements, which could affect program participation if uncorrected. Questioned costs: Overpayment of Pell awards totaling $1,718 and underpayment of Pell awards totaling $3,279. Recommendation: We recommend that the College: 1. Complete all necessary corrections by: o Returning overpaid Pell Grant amounts to the Pell Grant Program account for all cases where the College is liable. o Issuing additional disbursements to students who were underpaid, provided the award year remains open for processing. 2. Document all recalculations, including revised eligibility, corrected disbursement amounts, and evidence of system corrections. 3. Strengthen internal controls by implementing: o System validation checks on Pell calculation parameters, o Periodic reconciliation of disbursements to expected award schedules, and o A documented management review before each disbursement cycle. 4. Provide staff training on Pell Grant eligibility and disbursement requirements. Grantee Comment: Refer to Corrective Action Plan.
Federal Program: Student Financial Aid Cluster Type of Finding: Significant Deficiency in Internal Control Over Compliance and Other Matters Federal Agency: Department of Education ALN Number: 84.063, 84.268, 84.033, 84.007 Criteria: The College is required to submit the Fiscal Operations Report and Application to Participate (FISAP) annually to receive funds for the campus-based programs. Condition: The College incorrectly reported information on tuition and fees in the FISAP submitted to the Department of Education that reconciled to tuition and fees as reported on the statement of activities. Questioned Costs: None Cause: Employee turnover. Effect: The College did not operate in accordance with the special reporting compliance requirement. Recommendation: The College should develop procedures to have the financial aid and financial accounting information systems reconciled monthly. These reconciliations will ensure accurate reporting during periods of turnover of key personnel. Grantee Comment: Refer to Corrective Action Plan
Federal Program: Student Financial Aid Cluster Type of Finding: Significant Deficiency in Internal Control Over Compliance and Other Matters Federal Agency: Department of Education ALN Number: 84.063, 84.268, 84.033, 84.007 Criteria: The Code of Federal Regulations (34 CFR 685.309) requires enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. According to the NSLDS Enrollment Reporting Guide, a student’s Program-Level enrollment status should be reported with the same enrollment status as that student’s campus-level enrollment status for all programs the student is enrolled in at that location, even if the student is not currently taking coursework that applies to a particular program. If the student has withdrawn or graduated from an academic program, a “terminal enrollment status” of ‘W’ or ‘G,’ as appropriate, should be reported for that program, even if the student is still taking coursework applicable to other programs in which the student is enrolled. Uniform Grant Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure enrollment reporting is completed properly. Condition: The College did not properly report the student enrollment change for students who received federal student aid to the NSLDS. The College did not timely report three students’ Campus-Level enrollment status change to NSLDS. Context: Out of the thirty one students tested, we noted three students whose status change at the Program-Level and Campus-Level was not timely reported to NSLDS. Questioned costs: None. Cause: The College did not have formally documented controls related to the process of enrollment reporting, which is required under Uniform Grant Guidance. Effect: Student status changes exceeded the 60-day period for student enrollment changes reported in roster files. Recommendation: We recommend the College review current processes and implement updated processes and controls for reporting to NSLDS, implementing procedures to ensure submissions are reported timely and accurately. In addition, we recommend the College review the reporting in the system to ensure it can pull accurate reports of student enrollment status. Grantee Comments: See corrective action plan.
Federal Program: Student Financial Aid Cluster Type of Finding: Significant Deficiency in Internal Control Over Compliance and Other Matters Federal Agency: Department of Education ALN Number: 84.063, 84.268, 84.033, 84.007 Criteria: The FTC Safeguards Rule, 16 CFR 314.4, requires covered financial institutions to develop, implement, and maintain a comprehensive information security program that includes, at a minimum: Designation of a qualified individual to oversee the program A written risk assessment addressing internal and external threats Implementation of safeguards designed to control identified risks, with regular testing or monitoring Formal oversight of service providers, including contractual safeguard requirements Ongoing evaluation and adjustment of the information security program Condition: The College has not fully developed, implemented, and documented the information security program required under the Federal Trade Commission’s Safeguards Rule, 16 CFR 314.4. While the College has implemented certain administrative and technical security measures, several required components remain informal, incomplete, or in draft status. Specifically: The College has not completed a written risk assessment that identifies reasonably foreseeable internal and external risks, defines evaluation and categorization criteria, assesses the confidentiality, integrity, and availability of customer information, and documents risk mitigation or acceptance decisions, as required by § 314.4(b). The College has not formally adopted a written information security program that is based on the results of a documented risk assessment and includes a defined program for regular testing and monitoring of key controls, systems, and procedures, as required by § 314.4(c). Incident response and testing activities are described as informal or in draft form, and a finalized incident response policy has not yet been approved and implemented. Vendor oversight procedures are not fully documented to demonstrate that all service providers are contractually required to maintain safeguards consistent with the Safeguards Rule, as required by § 314.4(d). As a result, required elements of the Safeguards Rule are planned or in progress, but not fully implemented. Cause: Management has focused primarily on deploying technical security controls and initiating program development activities; however, formal governance documentation, risk assessment methodology, and program approval processes have not progressed at the same pace. As a result, the information security program has not been fully documented or formally implemented in accordance with regulatory requirements. Context and Effect: Failure to fully comply with 16 CFR 314.4 increases the risk that student information may not be adequately protected against unauthorized access, disclosure, or misuse. In addition, noncompliance with the FTC Safeguards Rule exposes the College to potential regulatory scrutiny, enforcement actions, and penalties, as well as reputational harm in the event of a cybersecurity incident. Questioned costs: None. Recommendation: The College should: 1. Complete and formally approve a written risk assessment that meets all requirements of 16 CFR 314.4(b). 2. Finalize, adopt, and implement a written information security program aligned with the documented risk assessment. 3. Establish and document a formal testing and monitoring program with defined scope and frequency. 4. Finalize and implement the incident response policy and ensure it is integrated into the broader information security program. 5. Review service provider contracts and document that all applicable vendors are required by contract to maintain appropriate safeguards. Grantee Comment: Refer to Corrective Action Plan.