2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.007; 84.033; 84.038; 84.063; 84.268; 84.379; 93.925 Program Names: Student Financial Assistance Cluster - Federal Supplemental Educational Opportunity Grants Federal Work-Study Program Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Scholarships for Health Professions Students from Disadvantaged Background Program Expenditures: $359,412; $432,302; $1,264,604; $4,213,853; $20,166,174; $26,878; $860,306 Award Numbers: P007A221121; P033A221121; P063P211351; P268K221351; P379T221351 Questioned Costs: None The Chicago State University (University) did not perform risk assessment procedures and document safeguards for each risk identified in relation to student financial aid information. According to the University?s Program Participation Agreement with the Department of Education, the University is required to protect student financial aid information. During our testing, we noted the University had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of student information. The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR ? 314.4 (b)), require the University to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security (Continued) (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. In addition, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) requires entities to perform a risk assessment and establish a risk mitigation plan to minimize identified risks. University management indicated the issues were due to the vacancy of an Information Technology Security Officer position. Without a risk assessment, the University is at risk of noncompliance with the GLBA. In addition, the University?s systems and information could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. (Finding Code No. 2022-004) RECOMMENDATION We recommend the University strengthen controls to ensure adequate risk assessment procedures are performed and documentation of safeguards for each risk identified in relation to student information security is maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.007; 84.033; 84.038; 84.063; 84.268; 84.379; 93.925 Program Names: Student Financial Assistance Cluster - Federal Supplemental Educational Opportunity Grants Federal Work-Study Program Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Scholarships for Health Professions Students from Disadvantaged Background Program Expenditures: $359,412; $432,302; $1,264,604; $4,213,853; $20,166,174; $26,878; $860,306 Award Numbers: P007A221121; P033A221121; P063P211351; P268K221351; P379T221351 Questioned Costs: None The Chicago State University (University) did not perform risk assessment procedures and document safeguards for each risk identified in relation to student financial aid information. According to the University?s Program Participation Agreement with the Department of Education, the University is required to protect student financial aid information. During our testing, we noted the University had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of student information. The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR ? 314.4 (b)), require the University to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security (Continued) (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. In addition, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) requires entities to perform a risk assessment and establish a risk mitigation plan to minimize identified risks. University management indicated the issues were due to the vacancy of an Information Technology Security Officer position. Without a risk assessment, the University is at risk of noncompliance with the GLBA. In addition, the University?s systems and information could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. (Finding Code No. 2022-004) RECOMMENDATION We recommend the University strengthen controls to ensure adequate risk assessment procedures are performed and documentation of safeguards for each risk identified in relation to student information security is maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.007; 84.033; 84.038; 84.063; 84.268; 84.379; 93.925 Program Names: Student Financial Assistance Cluster - Federal Supplemental Educational Opportunity Grants Federal Work-Study Program Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Scholarships for Health Professions Students from Disadvantaged Background Program Expenditures: $359,412; $432,302; $1,264,604; $4,213,853; $20,166,174; $26,878; $860,306 Award Numbers: P007A221121; P033A221121; P063P211351; P268K221351; P379T221351 Questioned Costs: None The Chicago State University (University) did not perform risk assessment procedures and document safeguards for each risk identified in relation to student financial aid information. According to the University?s Program Participation Agreement with the Department of Education, the University is required to protect student financial aid information. During our testing, we noted the University had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of student information. The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR ? 314.4 (b)), require the University to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security (Continued) (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. In addition, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) requires entities to perform a risk assessment and establish a risk mitigation plan to minimize identified risks. University management indicated the issues were due to the vacancy of an Information Technology Security Officer position. Without a risk assessment, the University is at risk of noncompliance with the GLBA. In addition, the University?s systems and information could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. (Finding Code No. 2022-004) RECOMMENDATION We recommend the University strengthen controls to ensure adequate risk assessment procedures are performed and documentation of safeguards for each risk identified in relation to student information security is maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.007; 84.033; 84.038; 84.063; 84.268; 84.379; 93.925 Program Names: Student Financial Assistance Cluster - Federal Supplemental Educational Opportunity Grants Federal Work-Study Program Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Scholarships for Health Professions Students from Disadvantaged Background Program Expenditures: $359,412; $432,302; $1,264,604; $4,213,853; $20,166,174; $26,878; $860,306 Award Numbers: P007A221121; P033A221121; P063P211351; P268K221351; P379T221351 Questioned Costs: None The Chicago State University (University) did not perform risk assessment procedures and document safeguards for each risk identified in relation to student financial aid information. According to the University?s Program Participation Agreement with the Department of Education, the University is required to protect student financial aid information. During our testing, we noted the University had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of student information. The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR ? 314.4 (b)), require the University to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security (Continued) (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. In addition, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) requires entities to perform a risk assessment and establish a risk mitigation plan to minimize identified risks. University management indicated the issues were due to the vacancy of an Information Technology Security Officer position. Without a risk assessment, the University is at risk of noncompliance with the GLBA. In addition, the University?s systems and information could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. (Finding Code No. 2022-004) RECOMMENDATION We recommend the University strengthen controls to ensure adequate risk assessment procedures are performed and documentation of safeguards for each risk identified in relation to student information security is maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-003. FINDING Failure to Obtain Student Verification Documents Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.063; 84.268 Program Names: Student Financial Assistance Cluster - Federal Pell Grant Program Federal Direct Student Loans Program Expenditures: $4,213,853; $20,166,174 Award Numbers: P063P211351; P268K221351 Questioned Costs: None The Chicago State University (University) did not obtain and review student verification documents. For Academic Year 2021-2022, the Department of Education waived the verification of most Free Application for Federal Student Aid (FAFSA) information, except for Identity/Statement of Educational Purpose and High School Completion Status. During testing of 25 students selected for verification, we noted the University did not obtain supporting documentation to verify the identity of two (8%) students. The sample methods used in performing this testing were not statistically valid. The Federal Student Aid Publication (GEN-21-05) ? Changes to 2021-2022 Verification Requirements, dated July 13, 2021, waived verification of information of students applying for financial assistance except for verification of documents for Identity/Statement of Educational Purpose and High School Completion Status of certain verification groups. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University management indicated the failure to obtain verification documents was due to oversight. Failure to obtain verification documents in accordance with federal regulations may result in students receiving awards for which they are ineligible and the University incurring unallowable costs. (Finding Code No. 2022-003) 2022-003. FINDING Failure to Obtain Student Verification Documents (Continued) RECOMMENDATION We recommend the University ensure student verification documents are obtained, reviewed, and maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-003. FINDING Failure to Obtain Student Verification Documents Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.063; 84.268 Program Names: Student Financial Assistance Cluster - Federal Pell Grant Program Federal Direct Student Loans Program Expenditures: $4,213,853; $20,166,174 Award Numbers: P063P211351; P268K221351 Questioned Costs: None The Chicago State University (University) did not obtain and review student verification documents. For Academic Year 2021-2022, the Department of Education waived the verification of most Free Application for Federal Student Aid (FAFSA) information, except for Identity/Statement of Educational Purpose and High School Completion Status. During testing of 25 students selected for verification, we noted the University did not obtain supporting documentation to verify the identity of two (8%) students. The sample methods used in performing this testing were not statistically valid. The Federal Student Aid Publication (GEN-21-05) ? Changes to 2021-2022 Verification Requirements, dated July 13, 2021, waived verification of information of students applying for financial assistance except for verification of documents for Identity/Statement of Educational Purpose and High School Completion Status of certain verification groups. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University management indicated the failure to obtain verification documents was due to oversight. Failure to obtain verification documents in accordance with federal regulations may result in students receiving awards for which they are ineligible and the University incurring unallowable costs. (Finding Code No. 2022-003) 2022-003. FINDING Failure to Obtain Student Verification Documents (Continued) RECOMMENDATION We recommend the University ensure student verification documents are obtained, reviewed, and maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.007; 84.033; 84.038; 84.063; 84.268; 84.379; 93.925 Program Names: Student Financial Assistance Cluster - Federal Supplemental Educational Opportunity Grants Federal Work-Study Program Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Scholarships for Health Professions Students from Disadvantaged Background Program Expenditures: $359,412; $432,302; $1,264,604; $4,213,853; $20,166,174; $26,878; $860,306 Award Numbers: P007A221121; P033A221121; P063P211351; P268K221351; P379T221351 Questioned Costs: None The Chicago State University (University) did not perform risk assessment procedures and document safeguards for each risk identified in relation to student financial aid information. According to the University?s Program Participation Agreement with the Department of Education, the University is required to protect student financial aid information. During our testing, we noted the University had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of student information. The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR ? 314.4 (b)), require the University to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security (Continued) (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. In addition, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) requires entities to perform a risk assessment and establish a risk mitigation plan to minimize identified risks. University management indicated the issues were due to the vacancy of an Information Technology Security Officer position. Without a risk assessment, the University is at risk of noncompliance with the GLBA. In addition, the University?s systems and information could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. (Finding Code No. 2022-004) RECOMMENDATION We recommend the University strengthen controls to ensure adequate risk assessment procedures are performed and documentation of safeguards for each risk identified in relation to student information security is maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-005. FINDING Failure to Notify Students Upon Disbursement of Funds Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.268; 84.379 Program Names: Student Financial Assistance Cluster - Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Program Expenditures: $20,166,174; $26,878 Award Number: P268K221351 Questioned Costs: None The Chicago State University (University) did not notify the students upon disbursement of grant funds and loans. During testing of nine students, who received Teacher Education Assistance for College and Higher Education Grants (TEACH) totaling $21,220, we noted six (67%) students with grant disbursements totaling $16,505 were not notified by the University indicating the funds were credited to the students? accounts. The sample methods used in performing this testing were not statistically valid. In addition, during testing of 25 students, who received Federal Direct Student Loans totaling $447,363, we noted 25 (100%) students were not notified by the University indicating the funds were credited to the students? accounts. The sample methods used in performing this testing were not statistically valid. The Code of Federal Regulations (Code) (34 CFR ? 668.165 (a)(3)(i)) requires the University to notify students or parents in writing no earlier than 30 days before, and no later than 30 days after, crediting the students? ledger account at the University with TEACH Grant funds or Federal Direct Student Loans. Further, the Code (2 CFR ? 200.303) requires the nonfederal entity receiving federal awards to establish and maintain effective internal control over the federal award to provide reasonable assurance the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Effective internal controls include procedures to ensure timely notification of disbursements to students receiving TEACH Grants and Federal Direct Loans. University management indicated the failure to timely notify students upon disbursements of TEACH grants and Direct Loans was due to resource constraints. 2022-005. FINDING Failure to Notify Students Upon Disbursement (Continued) Failure to timely notify students upon disbursement of funds resulted in noncompliance with the Code. (Finding Code No. 2022-005) RECOMMENDATION We recommend the University strengthen controls to ensure timely notification is sent to students upon disbursement of grant funds and loans. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-005. FINDING Failure to Notify Students Upon Disbursement of Funds Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.268; 84.379 Program Names: Student Financial Assistance Cluster - Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Program Expenditures: $20,166,174; $26,878 Award Number: P268K221351 Questioned Costs: None The Chicago State University (University) did not notify the students upon disbursement of grant funds and loans. During testing of nine students, who received Teacher Education Assistance for College and Higher Education Grants (TEACH) totaling $21,220, we noted six (67%) students with grant disbursements totaling $16,505 were not notified by the University indicating the funds were credited to the students? accounts. The sample methods used in performing this testing were not statistically valid. In addition, during testing of 25 students, who received Federal Direct Student Loans totaling $447,363, we noted 25 (100%) students were not notified by the University indicating the funds were credited to the students? accounts. The sample methods used in performing this testing were not statistically valid. The Code of Federal Regulations (Code) (34 CFR ? 668.165 (a)(3)(i)) requires the University to notify students or parents in writing no earlier than 30 days before, and no later than 30 days after, crediting the students? ledger account at the University with TEACH Grant funds or Federal Direct Student Loans. Further, the Code (2 CFR ? 200.303) requires the nonfederal entity receiving federal awards to establish and maintain effective internal control over the federal award to provide reasonable assurance the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Effective internal controls include procedures to ensure timely notification of disbursements to students receiving TEACH Grants and Federal Direct Loans. University management indicated the failure to timely notify students upon disbursements of TEACH grants and Direct Loans was due to resource constraints. 2022-005. FINDING Failure to Notify Students Upon Disbursement (Continued) Failure to timely notify students upon disbursement of funds resulted in noncompliance with the Code. (Finding Code No. 2022-005) RECOMMENDATION We recommend the University strengthen controls to ensure timely notification is sent to students upon disbursement of grant funds and loans. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.007; 84.033; 84.038; 84.063; 84.268; 84.379; 93.925 Program Names: Student Financial Assistance Cluster - Federal Supplemental Educational Opportunity Grants Federal Work-Study Program Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Scholarships for Health Professions Students from Disadvantaged Background Program Expenditures: $359,412; $432,302; $1,264,604; $4,213,853; $20,166,174; $26,878; $860,306 Award Numbers: P007A221121; P033A221121; P063P211351; P268K221351; P379T221351 Questioned Costs: None The Chicago State University (University) did not perform risk assessment procedures and document safeguards for each risk identified in relation to student financial aid information. According to the University?s Program Participation Agreement with the Department of Education, the University is required to protect student financial aid information. During our testing, we noted the University had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of student information. The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR ? 314.4 (b)), require the University to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security (Continued) (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. In addition, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) requires entities to perform a risk assessment and establish a risk mitigation plan to minimize identified risks. University management indicated the issues were due to the vacancy of an Information Technology Security Officer position. Without a risk assessment, the University is at risk of noncompliance with the GLBA. In addition, the University?s systems and information could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. (Finding Code No. 2022-004) RECOMMENDATION We recommend the University strengthen controls to ensure adequate risk assessment procedures are performed and documentation of safeguards for each risk identified in relation to student information security is maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.007; 84.033; 84.038; 84.063; 84.268; 84.379; 93.925 Program Names: Student Financial Assistance Cluster - Federal Supplemental Educational Opportunity Grants Federal Work-Study Program Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Scholarships for Health Professions Students from Disadvantaged Background Program Expenditures: $359,412; $432,302; $1,264,604; $4,213,853; $20,166,174; $26,878; $860,306 Award Numbers: P007A221121; P033A221121; P063P211351; P268K221351; P379T221351 Questioned Costs: None The Chicago State University (University) did not perform risk assessment procedures and document safeguards for each risk identified in relation to student financial aid information. According to the University?s Program Participation Agreement with the Department of Education, the University is required to protect student financial aid information. During our testing, we noted the University had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of student information. The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR ? 314.4 (b)), require the University to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security (Continued) (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. In addition, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) requires entities to perform a risk assessment and establish a risk mitigation plan to minimize identified risks. University management indicated the issues were due to the vacancy of an Information Technology Security Officer position. Without a risk assessment, the University is at risk of noncompliance with the GLBA. In addition, the University?s systems and information could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. (Finding Code No. 2022-004) RECOMMENDATION We recommend the University strengthen controls to ensure adequate risk assessment procedures are performed and documentation of safeguards for each risk identified in relation to student information security is maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-006. FINDING Lack of Adherence to Controls and Noncompliance with Requirement Applicable to the Education Stabilization Fund Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.425E; 84.425F; 84.425L Program Names: Higher Education Stabilization Fund - COVID-19 - Higher Education Emergency Relief Fund - Student Aid Portion COVID-19 - Higher Education Emergency Relief Fund - Institutional Portion COVID-19 - Higher Education Emergency Relief Fund - Minority Serving Institutions Program Expenditures: $4,008,386; $3,338,668; $436,450 Award Numbers: 425E201661; P425F201393; P425L200359 Questioned Costs: None The Chicago State University (University) did not utilize the updated quarterly reporting form to report its Higher Education Emergency Relief Fund (HEERF) student and institutional aid awards. During testing, we noted one of four (25%) quarterly reporting forms utilized for reporting HEERF awards was outdated. As such, the information reported by the University did not include certain data required by the Department of Education. On March 27, 2020, the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was enacted into Public Law 116-136. Section 18004(a)(1) of the CARES Act established the HEERF I program which authorizes the Secretary of Education (Secretary) to allocate funding to eligible institutions of higher education to prevent, prepare for, and respond to the coronavirus pandemic (COVID-19). Subsequently, additional grants from the Coronavirus Response and Relief Supplemental Appropriations Act (CRRSAA) and the American Rescue Plan Act of 2021 (ARP) were received, establishing the HEERF II and HEERF III programs, respectively, to continuously support public and non-profit institutions and students. Under the CARES, CRRSSA, and ARP Acts, an institution is required to complete and post on its website a quarterly and annual report of its HEERF grant expenditures using the form designed by the Department of Education to help ensure funding transparency and public accountability. 2022-006. FINDING Lack of Adherence to Controls and Noncompliance with Requirement Applicable to the Education Stabilization Fund (Continued) The Higher Education Emergency Relief Fund III Frequently Asked Questions, Question 36, published by the Department of Education, requires the University to utilize the new quarterly reporting form beginning June 30, 2022, reporting period. The new quarterly reporting form includes new reporting categories on mental health spending, HEERF (a)(2) construction flexibilities, and lost revenue and combines the separate institutional and student reporting requirement. The Code of Federal Regulations (Code) (2 CFR ? 200.303) requires the University to establish and maintain effective internal control over the federal award to provide reasonable assurance the University is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Effective internal controls should include procedures to ensure compliance with grant reporting requirements. This finding was first reported in Fiscal Year 2020. In subsequent years, the University has been unsuccessful in implementing appropriate procedures to improve its controls over HEERF awards. University management indicated the failure to use the correct reporting form was due to lack of coordination between staff involved in the reporting process. Failure to comply with the grant reporting requirements of the HEERF programs results in noncompliance with the CARES, CRRSAA, and ARP Acts, grant agreements, and the Code. (Finding Code No. 2022-006, 2021-004, 2020-005) RECOMMENDATION We recommend the University strengthen its controls to ensure updated forms are used to report its HEERF student and institutional aid awards. UNIVERSITY RESPONSE The University agrees with the finding and has implemented a corrective action plan to improve internal controls related to posting of HEERF reports and submission of the Governor's Emergency Education Relief Fund reports.
2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.007; 84.033; 84.038; 84.063; 84.268; 84.379; 93.925 Program Names: Student Financial Assistance Cluster - Federal Supplemental Educational Opportunity Grants Federal Work-Study Program Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Scholarships for Health Professions Students from Disadvantaged Background Program Expenditures: $359,412; $432,302; $1,264,604; $4,213,853; $20,166,174; $26,878; $860,306 Award Numbers: P007A221121; P033A221121; P063P211351; P268K221351; P379T221351 Questioned Costs: None The Chicago State University (University) did not perform risk assessment procedures and document safeguards for each risk identified in relation to student financial aid information. According to the University?s Program Participation Agreement with the Department of Education, the University is required to protect student financial aid information. During our testing, we noted the University had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of student information. The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR ? 314.4 (b)), require the University to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security (Continued) (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. In addition, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) requires entities to perform a risk assessment and establish a risk mitigation plan to minimize identified risks. University management indicated the issues were due to the vacancy of an Information Technology Security Officer position. Without a risk assessment, the University is at risk of noncompliance with the GLBA. In addition, the University?s systems and information could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. (Finding Code No. 2022-004) RECOMMENDATION We recommend the University strengthen controls to ensure adequate risk assessment procedures are performed and documentation of safeguards for each risk identified in relation to student information security is maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.007; 84.033; 84.038; 84.063; 84.268; 84.379; 93.925 Program Names: Student Financial Assistance Cluster - Federal Supplemental Educational Opportunity Grants Federal Work-Study Program Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Scholarships for Health Professions Students from Disadvantaged Background Program Expenditures: $359,412; $432,302; $1,264,604; $4,213,853; $20,166,174; $26,878; $860,306 Award Numbers: P007A221121; P033A221121; P063P211351; P268K221351; P379T221351 Questioned Costs: None The Chicago State University (University) did not perform risk assessment procedures and document safeguards for each risk identified in relation to student financial aid information. According to the University?s Program Participation Agreement with the Department of Education, the University is required to protect student financial aid information. During our testing, we noted the University had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of student information. The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR ? 314.4 (b)), require the University to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security (Continued) (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. In addition, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) requires entities to perform a risk assessment and establish a risk mitigation plan to minimize identified risks. University management indicated the issues were due to the vacancy of an Information Technology Security Officer position. Without a risk assessment, the University is at risk of noncompliance with the GLBA. In addition, the University?s systems and information could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. (Finding Code No. 2022-004) RECOMMENDATION We recommend the University strengthen controls to ensure adequate risk assessment procedures are performed and documentation of safeguards for each risk identified in relation to student information security is maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.007; 84.033; 84.038; 84.063; 84.268; 84.379; 93.925 Program Names: Student Financial Assistance Cluster - Federal Supplemental Educational Opportunity Grants Federal Work-Study Program Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Scholarships for Health Professions Students from Disadvantaged Background Program Expenditures: $359,412; $432,302; $1,264,604; $4,213,853; $20,166,174; $26,878; $860,306 Award Numbers: P007A221121; P033A221121; P063P211351; P268K221351; P379T221351 Questioned Costs: None The Chicago State University (University) did not perform risk assessment procedures and document safeguards for each risk identified in relation to student financial aid information. According to the University?s Program Participation Agreement with the Department of Education, the University is required to protect student financial aid information. During our testing, we noted the University had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of student information. The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR ? 314.4 (b)), require the University to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security (Continued) (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. In addition, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) requires entities to perform a risk assessment and establish a risk mitigation plan to minimize identified risks. University management indicated the issues were due to the vacancy of an Information Technology Security Officer position. Without a risk assessment, the University is at risk of noncompliance with the GLBA. In addition, the University?s systems and information could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. (Finding Code No. 2022-004) RECOMMENDATION We recommend the University strengthen controls to ensure adequate risk assessment procedures are performed and documentation of safeguards for each risk identified in relation to student information security is maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.007; 84.033; 84.038; 84.063; 84.268; 84.379; 93.925 Program Names: Student Financial Assistance Cluster - Federal Supplemental Educational Opportunity Grants Federal Work-Study Program Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Scholarships for Health Professions Students from Disadvantaged Background Program Expenditures: $359,412; $432,302; $1,264,604; $4,213,853; $20,166,174; $26,878; $860,306 Award Numbers: P007A221121; P033A221121; P063P211351; P268K221351; P379T221351 Questioned Costs: None The Chicago State University (University) did not perform risk assessment procedures and document safeguards for each risk identified in relation to student financial aid information. According to the University?s Program Participation Agreement with the Department of Education, the University is required to protect student financial aid information. During our testing, we noted the University had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of student information. The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR ? 314.4 (b)), require the University to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security (Continued) (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. In addition, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) requires entities to perform a risk assessment and establish a risk mitigation plan to minimize identified risks. University management indicated the issues were due to the vacancy of an Information Technology Security Officer position. Without a risk assessment, the University is at risk of noncompliance with the GLBA. In addition, the University?s systems and information could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. (Finding Code No. 2022-004) RECOMMENDATION We recommend the University strengthen controls to ensure adequate risk assessment procedures are performed and documentation of safeguards for each risk identified in relation to student information security is maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-003. FINDING Failure to Obtain Student Verification Documents Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.063; 84.268 Program Names: Student Financial Assistance Cluster - Federal Pell Grant Program Federal Direct Student Loans Program Expenditures: $4,213,853; $20,166,174 Award Numbers: P063P211351; P268K221351 Questioned Costs: None The Chicago State University (University) did not obtain and review student verification documents. For Academic Year 2021-2022, the Department of Education waived the verification of most Free Application for Federal Student Aid (FAFSA) information, except for Identity/Statement of Educational Purpose and High School Completion Status. During testing of 25 students selected for verification, we noted the University did not obtain supporting documentation to verify the identity of two (8%) students. The sample methods used in performing this testing were not statistically valid. The Federal Student Aid Publication (GEN-21-05) ? Changes to 2021-2022 Verification Requirements, dated July 13, 2021, waived verification of information of students applying for financial assistance except for verification of documents for Identity/Statement of Educational Purpose and High School Completion Status of certain verification groups. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University management indicated the failure to obtain verification documents was due to oversight. Failure to obtain verification documents in accordance with federal regulations may result in students receiving awards for which they are ineligible and the University incurring unallowable costs. (Finding Code No. 2022-003) 2022-003. FINDING Failure to Obtain Student Verification Documents (Continued) RECOMMENDATION We recommend the University ensure student verification documents are obtained, reviewed, and maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-003. FINDING Failure to Obtain Student Verification Documents Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.063; 84.268 Program Names: Student Financial Assistance Cluster - Federal Pell Grant Program Federal Direct Student Loans Program Expenditures: $4,213,853; $20,166,174 Award Numbers: P063P211351; P268K221351 Questioned Costs: None The Chicago State University (University) did not obtain and review student verification documents. For Academic Year 2021-2022, the Department of Education waived the verification of most Free Application for Federal Student Aid (FAFSA) information, except for Identity/Statement of Educational Purpose and High School Completion Status. During testing of 25 students selected for verification, we noted the University did not obtain supporting documentation to verify the identity of two (8%) students. The sample methods used in performing this testing were not statistically valid. The Federal Student Aid Publication (GEN-21-05) ? Changes to 2021-2022 Verification Requirements, dated July 13, 2021, waived verification of information of students applying for financial assistance except for verification of documents for Identity/Statement of Educational Purpose and High School Completion Status of certain verification groups. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University management indicated the failure to obtain verification documents was due to oversight. Failure to obtain verification documents in accordance with federal regulations may result in students receiving awards for which they are ineligible and the University incurring unallowable costs. (Finding Code No. 2022-003) 2022-003. FINDING Failure to Obtain Student Verification Documents (Continued) RECOMMENDATION We recommend the University ensure student verification documents are obtained, reviewed, and maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.007; 84.033; 84.038; 84.063; 84.268; 84.379; 93.925 Program Names: Student Financial Assistance Cluster - Federal Supplemental Educational Opportunity Grants Federal Work-Study Program Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Scholarships for Health Professions Students from Disadvantaged Background Program Expenditures: $359,412; $432,302; $1,264,604; $4,213,853; $20,166,174; $26,878; $860,306 Award Numbers: P007A221121; P033A221121; P063P211351; P268K221351; P379T221351 Questioned Costs: None The Chicago State University (University) did not perform risk assessment procedures and document safeguards for each risk identified in relation to student financial aid information. According to the University?s Program Participation Agreement with the Department of Education, the University is required to protect student financial aid information. During our testing, we noted the University had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of student information. The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR ? 314.4 (b)), require the University to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security (Continued) (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. In addition, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) requires entities to perform a risk assessment and establish a risk mitigation plan to minimize identified risks. University management indicated the issues were due to the vacancy of an Information Technology Security Officer position. Without a risk assessment, the University is at risk of noncompliance with the GLBA. In addition, the University?s systems and information could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. (Finding Code No. 2022-004) RECOMMENDATION We recommend the University strengthen controls to ensure adequate risk assessment procedures are performed and documentation of safeguards for each risk identified in relation to student information security is maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-005. FINDING Failure to Notify Students Upon Disbursement of Funds Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.268; 84.379 Program Names: Student Financial Assistance Cluster - Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Program Expenditures: $20,166,174; $26,878 Award Number: P268K221351 Questioned Costs: None The Chicago State University (University) did not notify the students upon disbursement of grant funds and loans. During testing of nine students, who received Teacher Education Assistance for College and Higher Education Grants (TEACH) totaling $21,220, we noted six (67%) students with grant disbursements totaling $16,505 were not notified by the University indicating the funds were credited to the students? accounts. The sample methods used in performing this testing were not statistically valid. In addition, during testing of 25 students, who received Federal Direct Student Loans totaling $447,363, we noted 25 (100%) students were not notified by the University indicating the funds were credited to the students? accounts. The sample methods used in performing this testing were not statistically valid. The Code of Federal Regulations (Code) (34 CFR ? 668.165 (a)(3)(i)) requires the University to notify students or parents in writing no earlier than 30 days before, and no later than 30 days after, crediting the students? ledger account at the University with TEACH Grant funds or Federal Direct Student Loans. Further, the Code (2 CFR ? 200.303) requires the nonfederal entity receiving federal awards to establish and maintain effective internal control over the federal award to provide reasonable assurance the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Effective internal controls include procedures to ensure timely notification of disbursements to students receiving TEACH Grants and Federal Direct Loans. University management indicated the failure to timely notify students upon disbursements of TEACH grants and Direct Loans was due to resource constraints. 2022-005. FINDING Failure to Notify Students Upon Disbursement (Continued) Failure to timely notify students upon disbursement of funds resulted in noncompliance with the Code. (Finding Code No. 2022-005) RECOMMENDATION We recommend the University strengthen controls to ensure timely notification is sent to students upon disbursement of grant funds and loans. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-005. FINDING Failure to Notify Students Upon Disbursement of Funds Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.268; 84.379 Program Names: Student Financial Assistance Cluster - Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Program Expenditures: $20,166,174; $26,878 Award Number: P268K221351 Questioned Costs: None The Chicago State University (University) did not notify the students upon disbursement of grant funds and loans. During testing of nine students, who received Teacher Education Assistance for College and Higher Education Grants (TEACH) totaling $21,220, we noted six (67%) students with grant disbursements totaling $16,505 were not notified by the University indicating the funds were credited to the students? accounts. The sample methods used in performing this testing were not statistically valid. In addition, during testing of 25 students, who received Federal Direct Student Loans totaling $447,363, we noted 25 (100%) students were not notified by the University indicating the funds were credited to the students? accounts. The sample methods used in performing this testing were not statistically valid. The Code of Federal Regulations (Code) (34 CFR ? 668.165 (a)(3)(i)) requires the University to notify students or parents in writing no earlier than 30 days before, and no later than 30 days after, crediting the students? ledger account at the University with TEACH Grant funds or Federal Direct Student Loans. Further, the Code (2 CFR ? 200.303) requires the nonfederal entity receiving federal awards to establish and maintain effective internal control over the federal award to provide reasonable assurance the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Effective internal controls include procedures to ensure timely notification of disbursements to students receiving TEACH Grants and Federal Direct Loans. University management indicated the failure to timely notify students upon disbursements of TEACH grants and Direct Loans was due to resource constraints. 2022-005. FINDING Failure to Notify Students Upon Disbursement (Continued) Failure to timely notify students upon disbursement of funds resulted in noncompliance with the Code. (Finding Code No. 2022-005) RECOMMENDATION We recommend the University strengthen controls to ensure timely notification is sent to students upon disbursement of grant funds and loans. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.007; 84.033; 84.038; 84.063; 84.268; 84.379; 93.925 Program Names: Student Financial Assistance Cluster - Federal Supplemental Educational Opportunity Grants Federal Work-Study Program Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Scholarships for Health Professions Students from Disadvantaged Background Program Expenditures: $359,412; $432,302; $1,264,604; $4,213,853; $20,166,174; $26,878; $860,306 Award Numbers: P007A221121; P033A221121; P063P211351; P268K221351; P379T221351 Questioned Costs: None The Chicago State University (University) did not perform risk assessment procedures and document safeguards for each risk identified in relation to student financial aid information. According to the University?s Program Participation Agreement with the Department of Education, the University is required to protect student financial aid information. During our testing, we noted the University had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of student information. The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR ? 314.4 (b)), require the University to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security (Continued) (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. In addition, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) requires entities to perform a risk assessment and establish a risk mitigation plan to minimize identified risks. University management indicated the issues were due to the vacancy of an Information Technology Security Officer position. Without a risk assessment, the University is at risk of noncompliance with the GLBA. In addition, the University?s systems and information could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. (Finding Code No. 2022-004) RECOMMENDATION We recommend the University strengthen controls to ensure adequate risk assessment procedures are performed and documentation of safeguards for each risk identified in relation to student information security is maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.007; 84.033; 84.038; 84.063; 84.268; 84.379; 93.925 Program Names: Student Financial Assistance Cluster - Federal Supplemental Educational Opportunity Grants Federal Work-Study Program Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Scholarships for Health Professions Students from Disadvantaged Background Program Expenditures: $359,412; $432,302; $1,264,604; $4,213,853; $20,166,174; $26,878; $860,306 Award Numbers: P007A221121; P033A221121; P063P211351; P268K221351; P379T221351 Questioned Costs: None The Chicago State University (University) did not perform risk assessment procedures and document safeguards for each risk identified in relation to student financial aid information. According to the University?s Program Participation Agreement with the Department of Education, the University is required to protect student financial aid information. During our testing, we noted the University had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of student information. The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR ? 314.4 (b)), require the University to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security (Continued) (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. In addition, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) requires entities to perform a risk assessment and establish a risk mitigation plan to minimize identified risks. University management indicated the issues were due to the vacancy of an Information Technology Security Officer position. Without a risk assessment, the University is at risk of noncompliance with the GLBA. In addition, the University?s systems and information could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. (Finding Code No. 2022-004) RECOMMENDATION We recommend the University strengthen controls to ensure adequate risk assessment procedures are performed and documentation of safeguards for each risk identified in relation to student information security is maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.
2022-006. FINDING Lack of Adherence to Controls and Noncompliance with Requirement Applicable to the Education Stabilization Fund Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.425E; 84.425F; 84.425L Program Names: Higher Education Stabilization Fund - COVID-19 - Higher Education Emergency Relief Fund - Student Aid Portion COVID-19 - Higher Education Emergency Relief Fund - Institutional Portion COVID-19 - Higher Education Emergency Relief Fund - Minority Serving Institutions Program Expenditures: $4,008,386; $3,338,668; $436,450 Award Numbers: 425E201661; P425F201393; P425L200359 Questioned Costs: None The Chicago State University (University) did not utilize the updated quarterly reporting form to report its Higher Education Emergency Relief Fund (HEERF) student and institutional aid awards. During testing, we noted one of four (25%) quarterly reporting forms utilized for reporting HEERF awards was outdated. As such, the information reported by the University did not include certain data required by the Department of Education. On March 27, 2020, the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was enacted into Public Law 116-136. Section 18004(a)(1) of the CARES Act established the HEERF I program which authorizes the Secretary of Education (Secretary) to allocate funding to eligible institutions of higher education to prevent, prepare for, and respond to the coronavirus pandemic (COVID-19). Subsequently, additional grants from the Coronavirus Response and Relief Supplemental Appropriations Act (CRRSAA) and the American Rescue Plan Act of 2021 (ARP) were received, establishing the HEERF II and HEERF III programs, respectively, to continuously support public and non-profit institutions and students. Under the CARES, CRRSSA, and ARP Acts, an institution is required to complete and post on its website a quarterly and annual report of its HEERF grant expenditures using the form designed by the Department of Education to help ensure funding transparency and public accountability. 2022-006. FINDING Lack of Adherence to Controls and Noncompliance with Requirement Applicable to the Education Stabilization Fund (Continued) The Higher Education Emergency Relief Fund III Frequently Asked Questions, Question 36, published by the Department of Education, requires the University to utilize the new quarterly reporting form beginning June 30, 2022, reporting period. The new quarterly reporting form includes new reporting categories on mental health spending, HEERF (a)(2) construction flexibilities, and lost revenue and combines the separate institutional and student reporting requirement. The Code of Federal Regulations (Code) (2 CFR ? 200.303) requires the University to establish and maintain effective internal control over the federal award to provide reasonable assurance the University is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Effective internal controls should include procedures to ensure compliance with grant reporting requirements. This finding was first reported in Fiscal Year 2020. In subsequent years, the University has been unsuccessful in implementing appropriate procedures to improve its controls over HEERF awards. University management indicated the failure to use the correct reporting form was due to lack of coordination between staff involved in the reporting process. Failure to comply with the grant reporting requirements of the HEERF programs results in noncompliance with the CARES, CRRSAA, and ARP Acts, grant agreements, and the Code. (Finding Code No. 2022-006, 2021-004, 2020-005) RECOMMENDATION We recommend the University strengthen its controls to ensure updated forms are used to report its HEERF student and institutional aid awards. UNIVERSITY RESPONSE The University agrees with the finding and has implemented a corrective action plan to improve internal controls related to posting of HEERF reports and submission of the Governor's Emergency Education Relief Fund reports.