Criteria: 16 CFR Part 314 requires the University to implement information safeguard standards prescribed by the Gramm Leach Bliley Act (GLBA). GLBA requires institutions and servicers to develop, implement, and maintain a written, comprehensive information security program which contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the institution or servicer, the nature and scope of their activities, and the sensitivity of any student information.An institution’s written information security program must include the following elements: •Element 1: Designates a Qualified Individual responsible for overseeing and implementing the institution’s or servicer’s information security program and enforcing the information security program (16 C.F.R. 314.4(a)). •Element 2: Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution or servicer) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 C.F.R. 314.4(b)).•Element 3: Provides for the design and implementation of safeguards to control the risks the institution or servicer identifies through its risk assessment (16 C.F.R. 314.4(c)). At a minimum, the written information security program must address the implementation of the minimum safeguards identified in 16 C.F.R. 314.4(c)(1) through (8). •Element 4: Provides for the institution or servicer to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 C.F.R. 314.4(d)) •Element 5: Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 C.F.R. 314.4(e)). •Element 6: Addresses how the institution or servicer will oversee its information system service providers (16 C.F.R. 314.4(f)). •Element 7: Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program (16 C.F.R. 314.4(g)). •Element 8: For an institution or servicer maintaining student information on 5,000 or more consumers, addresses the establishment of an incident response plan (16 C.F.R. 314.4(h)). •Element 9: For an institution or servicer maintaining student information on 5,000 or more consumers, addresses the requirement for its Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program (16 C.F.R. 314.4(i)).Context: We conducted inquiries with the University’s Information Security Officer to determine whether the University had a written information security program that addressed the elements required by GLBA. Although the University has a designated security officer (i.e. Qualified Individual) and has made progress in developing and implementing the elements of a written information security program, management confirmed that the University did not implement all required elements of the program as prescribed by the GLBA. Cause: Management indicated that there was a lack of awareness regarding the requirement to establish an information security program that addressed the required elements. Effect: The University was not in compliance with the GLBA requirement which could result in administrative action by the Department of Education and may impact the University’s participation in Title IV programs. Questioned Costs: None Identification of repeat finding: This is a repeat finding. See prior year finding 2024-002. Recommendations: We recommend that the University put in place all remaining unimplemented elements in order to complete the University’s written, comprehensive information security plan prescribed by GLBA. The University should develop and retain documentation supporting the completion and implementation of each of the required elements. Once completed, the University should conduct periodic internal assessments of the Information Security Programs’ compliance or consider engaging a third-party consultant to conduct such a review. Section III – Federal Award Findings and Questioned Costs (continued) Views of responsible officials: The University has made substantial progress toward completing the remaining elements required under the Gramm-Leach-Bliley Act (GLBA) and aligning its program with the FTC Safeguards Rule. Full implementation timelines are primarily constrained by current staffing capacity within ITS/Cybersecurity and Legal, as well as certain technical tool limitations (e.g., data discovery and validation). Despite these constraints, notable progress has been achieved across the required FTC Safeguards Program elements as summarized below: • Element 1 – Designate a Qualified Individual: Completed. Qualified individual appointed to implement and supervise the company’s information security program, reporting mechanisms to the Board established. Completion is confirmed based on oversight and execution of subsequent program elements. • Element 2 – Conduct a Risk Assessment: Completed. Initial risk assessment conducted to identify reasonably foreseeable threats; controls and priorities for Elements 3–9 is being guided by this assessment. • Element 3 – Access Controls & Data Classification: 70% complete. Policies finalized; multi-factor authentication (MFA) implemented; initial asset inventory completed. Data owner assignments and detailed access reviews are in progress. • Element 4 – Vulnerability Management: Complete. Latest penetration testing identified no critical findings. • Element 5 – Information Security Policies: Drafted and pending Legal review; Board acceptance scheduled for March 2026. • Element 6 – Third-Party Oversight: 70% complete. Policy and workflow developed. Board acceptance scheduled for March 2026. • Element 7 – Periodic Risk Assessments: 80% complete. Updated risk assessment currently in progress. • Element 8 – Incident Response Plan: 90% complete. Final reporting and approval scheduled for March 2026. • Element 9 – Qualified Individual & Board Reporting: 90% complete. Annual report scheduled for March 2026. • Red Flags Rule (Identity Theft Prevention): 50% complete. Policy drafted, complete comprehensive program, formal procedures and additional trainings still required. Remaining actions will be completed as Legal and Board approvals are obtained and staffing capacity allows. HPU will continue to develop and retain documentation supporting the completion and implementation of each safeguard element, as prescribed by GLBA. Periodic internal assessments of the Information Security Program will be scheduled following full implementation, with consideration given to engaging an independent third party for future reviews.
Criteria: 34 CFR 668.22(j)(1) requires the University to return the amount of Title IV funds for which it is responsible as soon as possible, but no later than 45 days after the date of the University’s determination that the student withdrew.34 CFR 668.22 requires the University to determine the amount of Title IV aid earned by a student who withdraws during a pay period or period in enrollment in which the student began attendance and calculate any Title IV funds to be returned to the U.S. Department of Education. Condition: The University did not return Title IV funds within the 45 days. In addition, the University did not perform a review of students who had Title IV funds disbursed and received all failing or incomplete grades to identify students who withdrew during the Fall 2024 term. Context: We selected a nonstatistical sample of 4 students from a population of 40 students who received all failing or incomplete grades for the Spring 2025 and Summer 2025 terms and had Title IV funds disbursed. Of the 4 students tested, 1 student required a Return of Title IV Funds (R2T4). For this student, the University did not calculate and return funds to the Department of Education within the required timeframe of 45 days. The University’s process to determine whether a student withdrew and required an R2T4 calculation includes reviewing students who were disbursed Title IV funds and received all failing or incomplete grades during a term. However, the University did not perform this review for the Fall 2024 term. Upon further inquiry, the University subsequently performed the Fall 2024 review and identified 22 students who required an R2T4 calculation to determine whether any Title IV funds should have been returned to the Department of Education. At the time of the audit, the University had not yet completed the R2T4 calculations for the students identified from the Fall 2024 review to determine whether additional Title IV funds were required to be returned to the Department of Education. Cause: Although the University has policies and procedures in place over the R2T4 process, management indicated that responsibility for performing the R2T4 process was transferred from the University’s Business Office to the Financial Aid Office prior to the Fall 2024 term. During this transition, the step to review students who received all failing or incomplete grades to identify potential unofficial withdrawals requiring an R2T4 calculation was overlooked for the Fall 2024 term. Effect: Failure to timely calculate and return Title IV funds resulted in noncompliance with the Return of Title IV Funds under the Special Tests and Provisions compliance requirement and increases the risk that Title IV funds may not be returned within the regulatory timeframe. Questioned Costs: None Identification of a repeat finding: This is a repeat finding. See prior year finding 2024-003.Recommendations: We recommend the University strengthen its controls over the R2T4 process to ensure that procedures used to identify students who receive all failing or incomplete grades are performed timely so that potential unofficial withdrawals are identified and evaluated within the required regulatory timeframe and funds are remitted within the required deadlines. The University should also establish procedures to ensure that responsibilities for the R2T4 process are clearly assigned and monitored during departmental or staffing transitions to prevent required reviews from being overlooked and to ensure required reports are generated and reviewed timely. Views of responsible officials: At the end of the 2023–24 award year, responsibility for generating Return of Title IV (R2T4) withdrawal lists transitioned from the Business Office to the Financial Aid Office. The Financial Aid Office began producing both official withdrawal and unofficial (non-passing grade) reports through Ellucian Banner. Because the two reports produced nearly identical student listings, it was assumed that the Banner-generated unofficial withdrawal report was effectively identifying all students who had received non-passing grades. During an internal audit conducted at the end of the Spring 2025 semester, the University identified one student who had failed all courses and was not included on either of the R2T4 lists. Upon further review, the issue was traced to a reporting limitation within Banner that excluded some students with all failing grades from the population used for R2T4 review. To resolve this, the Financial Aid Office coordinated with the Registrar’s Office to obtain a complete list of students who officially withdrew and students with all non-passing grades once final grades were submitted. R2T4 calculations were subsequently performed for applicable students identified in this additional list. Since Spring 2025, the University has institutionalized this revised procedure. The Registrar’s Office now provides the Financial Aid Office with a list of all students with non-passing grades at the end of each semester once grades are submitted. The Financial Aid Office reviews both reports to identify potential unofficial withdrawals and performs R2T4 calculations as required. To strengthen oversight and prevent future omissions during staffing transitions or process changes, the University will: • Document the revised R2T4 identification and review process in the Financial Aid operations manual. • Clearly assign responsibility for report generation, review, and follow-up between the Registrar’s Office and Financial Aid Office. • Implement a quarterly internal cross-check to confirm all required R2T4 reviews are completed.
Criteria: 34 CFR 668.164(h)(2) requires that a Title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than (i) 14 days after the balance occurred if the credit balance occurred after the first day of class or a payment period; or (ii) 14 days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period.Condition: The University did not pay all Title IV credit balances to students or parents within the 14 days. Context: We selected a non-statistical sample of 60 Title IV credit balances. For 9 out of the 60 credit balances, payments to the student or parent were made after the 14-day requirement. In all instances identified, the Title IV credit balances were ultimately paid to the student or parent. Cause: Although the University has policies and procedures in place over the payment of Title IV credit balances, management indicated that responsibility for reviewing and processing Title IV credit balances transferred from the Business Office to the Student Accounts during the year. This transition was not supported by sufficient training or clarification of compliance requirements, resulting in misunderstandings and inconsistent execution of required procedures. Effect: Failure to timely pay Title IV credit balances to students or parents resulted in noncompliance with the special tests and provisions – disbursements to or on behalf of students requirement. Questioned Costs: None Identification of a repeat finding: This is a repeat finding. See prior year finding 2024-006. Recommendations: We recommend the University strengthen its controls over the review and processing of Title IV credit balances to ensure refunds to students or parents are issued within the required 14-day timeframe. In addition, when responsibilities related to Title IV compliance are transferred between departments, the University should implement procedures to ensure staff receive appropriate training, roles and responsibilities are clearly defined, and compliance requirements are communicated to support consistent execution of required procedures. Views of responsible officials: The officials responsible for Student Accounts acknowledge that certain student financial aid refunds were processed outside the 14-day federal deadline, primarily due to insufficient Title IV training during the initial transfer of responsibilities to Student Accounts. While a standard operating procedures (SOP) exists within the current refunds training, it is limited, focusing primarily on the reports and some of federal requirements but does not provide sufficient detail on regulations, reviews, approvals, and timelines. Student Accounts has already taken steps to address and correct the misinformation, but additional improvements are still needed. The SOP for refunds is currently in progress to fully incorporate all necessary items to ensure better and clearer training guidelines. Mandatory Title IV refund training will be provided to all Refund Representatives and included in onboarding for new hire. We shall set established expectations set for all individuals involved in the process, including their delegates, to ensure accountability and consistent application of procedures. Ongoing collaboration with Financial Aid will ensure procedures are consistently applied, questions are addressed, and staff remain current with requirements. These actions are expected to ensure compliance with the 14-day federal requirement, strengthen staff competency, and support continuous improvement in refund processing.