2025 – 002: Internal Controls and Segregation of Duties Federal Agency: U.S. Department of Education Federal Program Title: Student Financial Aid Cluster ALN Number: 84.063, 84.007, 84.033, 84.038, 84.268, 93.364 Award Period: July 1, 2024 – June 30, 2025 Type of Finding: Material Weakness in Internal Control over Compliance Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Internal controls are not designed and operating effectively with no appropriate segregation of duties in the following areas: 1. Drawdowns for All Federal Awards – There was no control in place specifically designating the appropriate personnel who is responsible to perform the review of all drawdowns to ensure the information and amount are accurate. 2. Reconciliations of Pell Grants, Supplemental Educational Opportunity Grants (SEOG), Federal Work-Study, and Direct Loans between COD, Bank Accounts, and G5 – Reconciliations are prepared by the Associate Director of Financial Aid and reviewed by the Director of Financial Aid. There was no documentation of the review to verify that these controls are operating effectively. 3. Federal Aid Packages – The Director of Financial Aid prepares and reviews all Federal aid packages. There was no adequate and proper segregation of duties. 4. Professional Judgement Determinations – There was not proper documentation of review or approval. 5. R2T4 Calculations - The Director of Financial Aid prepares and reviews the R2T4 calculations. There was no adequate and proper segregation of duties. 6. Credit Balances - There is no control in place over the review of payment of credit balances to the student within 14 days. 7. Incentive Compensation – We were unable to verify whether the control to ensure that no incentive compensation is made to employees in the student recruiting and admission, and financial aid departments, is designed and operating effectively. 8. Eligibility – We identified instances in which the Cost of Attendance (COA) used to calculate financial need was inaccurate due to insufficient review and oversight over COA calculations. Questioned costs: None Context: This condition occurred in our various testing all throughout the audit of the Student Financial Aid cluster. Cause: Internal controls are not adequately and properly designed to address the risks. Additionally, some controls in place are not operating effectively. Effect: 1. Internal Control deficiencies can lead to non-compliance with laws and regulations, operational inefficiencies and inaccuracies in financial reporting. 2. Improper or lack of segregation of duties can lead to increased risk of errors, fraud, and inefficiencies, as there is insufficient oversight and control. Repeat Finding: Yes Recommendation: We recommend the University review its internal controls over compliance as these are crucial in protecting the University’s assets, ensuring the accuracy of financial reporting, promoting operational efficiency, and ensuring compliance with laws and regulations. Views of responsible officials: There is no disagreement with the audit finding.
2025 – 003: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Title: Student Financial Aid Cluster ALN Numbers: 84.063, 84.033, 84.007, 84.268, 84.038, 93.364 Award Period: July 1, 2024 – June 30, 2025 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include eight elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Additionally, institutions must conduct penetration testing and vulnerability assessments to ensure the effectiveness of their safeguards. Condition: The University has not implemented key components of the GLBA Safeguards Rule, including maintaining a formal data inventory and performing a periodic risk assessment of information. Questioned costs: None Context: 1. The University has not identified their process in how they identify and manage data, personnel, devices, systems, and facilities within a defined data inventory. 2. The University has not performed a risk assessment within the audit period to assist in the adjustment of their managerial, technical, and operational controls. Cause: The underlying cause of these conditions is the absence of formal data governance practices and a structured, recurring risk assessment process. Effect: As a result of the lack of a defined data inventory and a current risk assessment, the Organization may not effectively identify, assess, or mitigate risks to information, increasing the risk of inadequate safeguards, data compromise, and noncompliance with GLBA requirements. Repeat Finding: Yes Recommendation: We recommend that management establish and document a formal process to identify and maintain an inventory of data, personnel, devices, systems, and facilities that support or process customer information. Additionally, we recommend that management implement a formal, documented risk assessment process that is performed at least annually and updated as needed. Views of responsible officials: There is no disagreement with the audit finding.
2025 – 004: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Title: Student Financial Aid Cluster ALN Numbers: 84.063, 84.268 Award Period: July 1, 2024 – June 30, 2025 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or Specific Requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During testing of NSLDS enrollment reporting, we identified multiple instances of noncompliance related to timely and accurate enrollment reporting and certification. Specifically, the following issues were noted: 1. Enrollment date discrepancies The enrollment date per campus level institutional records does not match the enrollment date per NSLDS. 2. Program start date discrepancies The program start date per institutional records does not match program start date per NSLDS. 3. Untimely reporting of enrollment status changes The enrollment status change was not timely reported to NSLDS. 4. Missed enrollment certification One student was not certified within the required 60‑day period. 5. Enrollment status discrepancies The enrollment status change per institutional records does not match the status per NSLDS. Section III –Findings and Questions Costs – Major Federal Programs (Continued) 2025 – 004: Enrollment Reporting (Continued) 6. Inaccurate institutional records Institutional records did not accurately reflect the student’s enrollment status, despite NSLDS and email communication reflecting the withdrawal. Questioned costs: None Context: 1. This condition occurred in 4 out of 26 students tested. 2. This condition occurred in 9 out of 26 students tested. 3. This condition occurred in 2 out of 26 students tested. 4-6 This condition occurred in 1 out of 26 students tested. Cause: The University did not have sufficient controls in place to ensure enrollment information submitted to NSLDS was complete, accurate, and reviewed for consistency with institutional records, nor adequate monitoring procedures to ensure enrollment status changes and required certifications were submitted timely. Effect: Failure to accurately and timely report enrollment information to NSLDS may result in inaccurate federal student aid records, which could impact student loan repayment status, deferment eligibility, and other Title IV determinations made by the Department of Education. Repeat Finding: Yes Recommendation: We recommend the institution strengthen internal controls over NSLDS enrollment reporting by implementing formal review and reconciliation procedures to ensure: 1. Enrollment dates, program start dates, and enrollment statuses reported to NSLDS agree with institutional records; 2. Enrollment status changes are identified and reported timely; and 3. Enrollment certifications are completed at least every 60 days in accordance with federal requirements. Views of responsible officials: There is no disagreement with the audit finding.