Audit 400711

Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: 84.268, 84.063, 84.379 Award Period: August 1, 2024 through July 31, 2025 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or Specific Requirement: The Department of Education requires the Institute to report the disbursement dates and amounts to the Common Origination and Disbursement (COD) system within 15 days of disbursing Pell (34 CFR 690.83(b)(2) and Direct Loan (34 CFR 685.309) funds to a student. Condition: During our testing, we noted that the College's internal controls over COD reporting were not operating effectively. For 17 out of 32 disbursements, CLA noted that the COD disbursement date did not match the date the student was disbursed per their student account detail. For 15 out of 32 disbursements, CLA noted that the COD disbursement date was before the disbursement date per each student's account detail. For 5 out of 32 disbursements, the applied date was not reported timely and was outside of the allowed 15-day period after disbursing the student's award. Questioned Costs: None Context: During our testing, we noted the College did not have proper procedures in place to verify the dates sent to COD are timely and accurate. Cause: The College does not have a process in place to accurate report Unsubsidized Loan disbursements to COD. Effect: Students interest accrues based on disbursement date reported to COD, thus interest calculation could be skewed due to the discrepancy in disbursement dates reported. Repeat Finding: No Recommendation: We recommend the College evaluate its procedures and policies around reporting to COD to ensure that student information is reported accurately. Views of Responsible Officials: There is no disagreement with the audit finding.

Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: 84.063, 84.007, 84.033, 84.268, 84.379 Award Period: August 1, 2024 through July 31, 2025 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, we noted the College did not have a formal Written Information Security Program (WISP) in place during the period under audit. Questioned Costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and the College did not have a formal WISP in place. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.