FAC Explorer

Audit 46373

FY End
2022-05-31
Total Expended
$11.83M
Findings
24
Programs
10
Organization: Union College (NE)
Year: 2022 Accepted: 2023-02-28
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
45474 2022-002 Significant Deficiency Yes N
45475 2022-004 Significant Deficiency - N
45476 2022-002 Significant Deficiency Yes N
45477 2022-004 Significant Deficiency - N
45478 2022-002 Significant Deficiency Yes N
45479 2022-002 Significant Deficiency Yes N
45480 2022-002 Significant Deficiency Yes N
45481 2022-002 Significant Deficiency Yes N
45482 2022-002 Significant Deficiency Yes N
45483 2022-003 Significant Deficiency - N
45484 2022-003 Significant Deficiency - N
45485 2022-003 Significant Deficiency - N
621916 2022-002 Significant Deficiency Yes N
621917 2022-004 Significant Deficiency - N
621918 2022-002 Significant Deficiency Yes N
621919 2022-004 Significant Deficiency - N
621920 2022-002 Significant Deficiency Yes N
621921 2022-002 Significant Deficiency Yes N
621922 2022-002 Significant Deficiency Yes N
621923 2022-002 Significant Deficiency Yes N
621924 2022-002 Significant Deficiency Yes N
621925 2022-003 Significant Deficiency - N
621926 2022-003 Significant Deficiency - N
621927 2022-003 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Loan Program $6.88M Yes 1
84.063 Pell Grant Program $1.11M Yes 1
84.425F Heerf Institutional Portion $1.07M Yes 1
84.038 Federal Perkins Loan Program - Beginning Balance $1.07M Yes 2
84.425E Heerf Student Aid Portion $1.06M Yes 1
93.364 Nursing Student Loan Program - Beginning Balance $306,370 Yes 1
84.033 Federal Work Study Program $145,190 Yes 1
84.007 Federal Supplemental Educational Opportunity Grant Program $138,396 Yes 1
84.425M Heerf Strengthening Institutions Program $49,928 Yes 1
84.038 Federal Perkins Loan Program - Loans Issued $0 Yes 2

Contacts

Name Title Type
T5N2GAGKKZN3 Steve Trana Auditee
4024862502 Deirdre Hodgson Auditor
No contacts on file

Notes to SEFA

Title: Loan/loan guarantee outstanding balances Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as toreimbursement. The College has elected to use the 10 percent de minimis indirect cost rate allowed under the Uniform Guidance. De Minimis Rate Used: Y Rate Explanation: The auditee used the de minimis cost rate. The federal student loan programs listed subsequently are administered directly by Union College, and balances and transactions relating to these programs are included in Union Colleges basic financial statements. Loans outstanding at the beginning of the year and loans made during the year are included in the federal expenditures presented in the Schedule. The balance of loans outstanding at May 31, 2022 consists of: FEDERAL PERKINS LOAN PROGRAM - BEGINNING BALANCE (84.038) - Balances outstanding at the end of the audit period were $909,201. FEDERAL NURSING LOAN PROGRAM - BEGINNING BALANCE (93.364) - Balances outstanding at the end of the audit period were $263,182.
Title: BASIS OF PRESENTATION Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as toreimbursement. The College has elected to use the 10 percent de minimis indirect cost rate allowed under the Uniform Guidance. De Minimis Rate Used: Y Rate Explanation: The auditee used the de minimis cost rate. The purpose of the schedule of expenditures of federal awards (the Schedule) is to present a summary of those activities of Union College that have been financed by the United States government (federal awards). Federal awards received directly from federal agencies are included in the Schedule.The Schedule is presented on the accrual basis of accounting.

Finding Details

Finding 2022-002
2022 ? 002 Gramm-Leach-Bliley Act Federal agency: Department of Education Federal program title: Student Financial Aid ALN Numbers: Student Financial Aid Cluster Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College/University did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The organization did not perform an IT risk assessment tailored specifically to the organization, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The student personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the College engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-004
2022-004 Perkins Promissory Notes Federal Agency: U.S. Department of Education Federal Program Title: Higher Education Emergency Relief Funds ALN Number: 84.038 Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 674.16 states that before an institution makes its first disbursement to a student, the student shall sign the promissory note. Condition: Perkins Promissory Note - During our testing of the Student Financial Aid Cluster, we noted that 13 student out of 34 tested in the Perkins loan program could not be supported as having completed a promissory note. Questioned Costs: None Context: Many of the missing promissory notes were old and could not be located in paper or electronic files. Cause: The College did not have a process in place to ensure promissory notes were appropriately retained either in paper or electronic format. Effect: The College cannot provide documentation showing proper completion of promissory note as required by DOE requirements. Repeat finding: No Recommendation: We recommend that the College put a procedure in place to ensure that all students have a promissory note prior to disbursing of funds. Also recommend a procedure be put in place to ensure proper record retention documenting the completion of promissory note. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-002
2022 ? 002 Gramm-Leach-Bliley Act Federal agency: Department of Education Federal program title: Student Financial Aid ALN Numbers: Student Financial Aid Cluster Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College/University did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The organization did not perform an IT risk assessment tailored specifically to the organization, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The student personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the College engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-004
2022-004 Perkins Promissory Notes Federal Agency: U.S. Department of Education Federal Program Title: Higher Education Emergency Relief Funds ALN Number: 84.038 Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 674.16 states that before an institution makes its first disbursement to a student, the student shall sign the promissory note. Condition: Perkins Promissory Note - During our testing of the Student Financial Aid Cluster, we noted that 13 student out of 34 tested in the Perkins loan program could not be supported as having completed a promissory note. Questioned Costs: None Context: Many of the missing promissory notes were old and could not be located in paper or electronic files. Cause: The College did not have a process in place to ensure promissory notes were appropriately retained either in paper or electronic format. Effect: The College cannot provide documentation showing proper completion of promissory note as required by DOE requirements. Repeat finding: No Recommendation: We recommend that the College put a procedure in place to ensure that all students have a promissory note prior to disbursing of funds. Also recommend a procedure be put in place to ensure proper record retention documenting the completion of promissory note. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-002
2022 ? 002 Gramm-Leach-Bliley Act Federal agency: Department of Education Federal program title: Student Financial Aid ALN Numbers: Student Financial Aid Cluster Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College/University did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The organization did not perform an IT risk assessment tailored specifically to the organization, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The student personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the College engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-002
2022 ? 002 Gramm-Leach-Bliley Act Federal agency: Department of Education Federal program title: Student Financial Aid ALN Numbers: Student Financial Aid Cluster Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College/University did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The organization did not perform an IT risk assessment tailored specifically to the organization, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The student personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the College engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-002
2022 ? 002 Gramm-Leach-Bliley Act Federal agency: Department of Education Federal program title: Student Financial Aid ALN Numbers: Student Financial Aid Cluster Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College/University did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The organization did not perform an IT risk assessment tailored specifically to the organization, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The student personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the College engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-002
2022 ? 002 Gramm-Leach-Bliley Act Federal agency: Department of Education Federal program title: Student Financial Aid ALN Numbers: Student Financial Aid Cluster Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College/University did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The organization did not perform an IT risk assessment tailored specifically to the organization, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The student personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the College engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-002
2022 ? 002 Gramm-Leach-Bliley Act Federal agency: Department of Education Federal program title: Student Financial Aid ALN Numbers: Student Financial Aid Cluster Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College/University did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The organization did not perform an IT risk assessment tailored specifically to the organization, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The student personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the College engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-003
2022-003 Reporting Federal Agency: U.S. Department of Education Federal Program Title: Higher Education Emergency Relief Funds ALN Number: 84.425 Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: Per Uniform Guidance 2 CFR 200.303, federal entities receiving federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. The initial reporting for this grant requires the report to be submitted to the college or university?s website within 30 days of the signed Certification Agreement or 30 days after the electronic announcement dated May 6, whichever is later. Colleges and universities were then required to update their websites every 45 days after initial upload. This was changed to quarterly on August 31, 2020. In addition, an annual report is required. Condition: During our testing, we noted the student, institutional, and annual reports did not have documentation of their review prior to submission. Questioned Costs: None Context: A control system to prevent and detect errors in the reporting process was not created at the time the reports were filed and the College did not have a process to track the reporting requirements. In addition, there was a general lack of guidance from ED on reporting requirements. Cause: The College did not have a process in place to ensure reports were reviewed and documentation of review was maintained. Effect: The College did not comply with ED regulations by retaining support for the information reported to ensure accuracy. Repeat finding: No Recommendation: We recommend the College review their reporting procedures to ensure all required steps are included as well as the supporting documentation to prepare the report is retained. The reports should be reviewed by someone other than the preparer of the report and this review should be documented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-003
2022-003 Reporting Federal Agency: U.S. Department of Education Federal Program Title: Higher Education Emergency Relief Funds ALN Number: 84.425 Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: Per Uniform Guidance 2 CFR 200.303, federal entities receiving federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. The initial reporting for this grant requires the report to be submitted to the college or university?s website within 30 days of the signed Certification Agreement or 30 days after the electronic announcement dated May 6, whichever is later. Colleges and universities were then required to update their websites every 45 days after initial upload. This was changed to quarterly on August 31, 2020. In addition, an annual report is required. Condition: During our testing, we noted the student, institutional, and annual reports did not have documentation of their review prior to submission. Questioned Costs: None Context: A control system to prevent and detect errors in the reporting process was not created at the time the reports were filed and the College did not have a process to track the reporting requirements. In addition, there was a general lack of guidance from ED on reporting requirements. Cause: The College did not have a process in place to ensure reports were reviewed and documentation of review was maintained. Effect: The College did not comply with ED regulations by retaining support for the information reported to ensure accuracy. Repeat finding: No Recommendation: We recommend the College review their reporting procedures to ensure all required steps are included as well as the supporting documentation to prepare the report is retained. The reports should be reviewed by someone other than the preparer of the report and this review should be documented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-003
2022-003 Reporting Federal Agency: U.S. Department of Education Federal Program Title: Higher Education Emergency Relief Funds ALN Number: 84.425 Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: Per Uniform Guidance 2 CFR 200.303, federal entities receiving federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. The initial reporting for this grant requires the report to be submitted to the college or university?s website within 30 days of the signed Certification Agreement or 30 days after the electronic announcement dated May 6, whichever is later. Colleges and universities were then required to update their websites every 45 days after initial upload. This was changed to quarterly on August 31, 2020. In addition, an annual report is required. Condition: During our testing, we noted the student, institutional, and annual reports did not have documentation of their review prior to submission. Questioned Costs: None Context: A control system to prevent and detect errors in the reporting process was not created at the time the reports were filed and the College did not have a process to track the reporting requirements. In addition, there was a general lack of guidance from ED on reporting requirements. Cause: The College did not have a process in place to ensure reports were reviewed and documentation of review was maintained. Effect: The College did not comply with ED regulations by retaining support for the information reported to ensure accuracy. Repeat finding: No Recommendation: We recommend the College review their reporting procedures to ensure all required steps are included as well as the supporting documentation to prepare the report is retained. The reports should be reviewed by someone other than the preparer of the report and this review should be documented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-002
2022 ? 002 Gramm-Leach-Bliley Act Federal agency: Department of Education Federal program title: Student Financial Aid ALN Numbers: Student Financial Aid Cluster Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College/University did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The organization did not perform an IT risk assessment tailored specifically to the organization, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The student personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the College engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-004
2022-004 Perkins Promissory Notes Federal Agency: U.S. Department of Education Federal Program Title: Higher Education Emergency Relief Funds ALN Number: 84.038 Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 674.16 states that before an institution makes its first disbursement to a student, the student shall sign the promissory note. Condition: Perkins Promissory Note - During our testing of the Student Financial Aid Cluster, we noted that 13 student out of 34 tested in the Perkins loan program could not be supported as having completed a promissory note. Questioned Costs: None Context: Many of the missing promissory notes were old and could not be located in paper or electronic files. Cause: The College did not have a process in place to ensure promissory notes were appropriately retained either in paper or electronic format. Effect: The College cannot provide documentation showing proper completion of promissory note as required by DOE requirements. Repeat finding: No Recommendation: We recommend that the College put a procedure in place to ensure that all students have a promissory note prior to disbursing of funds. Also recommend a procedure be put in place to ensure proper record retention documenting the completion of promissory note. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-002
2022 ? 002 Gramm-Leach-Bliley Act Federal agency: Department of Education Federal program title: Student Financial Aid ALN Numbers: Student Financial Aid Cluster Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College/University did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The organization did not perform an IT risk assessment tailored specifically to the organization, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The student personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the College engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-004
2022-004 Perkins Promissory Notes Federal Agency: U.S. Department of Education Federal Program Title: Higher Education Emergency Relief Funds ALN Number: 84.038 Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 674.16 states that before an institution makes its first disbursement to a student, the student shall sign the promissory note. Condition: Perkins Promissory Note - During our testing of the Student Financial Aid Cluster, we noted that 13 student out of 34 tested in the Perkins loan program could not be supported as having completed a promissory note. Questioned Costs: None Context: Many of the missing promissory notes were old and could not be located in paper or electronic files. Cause: The College did not have a process in place to ensure promissory notes were appropriately retained either in paper or electronic format. Effect: The College cannot provide documentation showing proper completion of promissory note as required by DOE requirements. Repeat finding: No Recommendation: We recommend that the College put a procedure in place to ensure that all students have a promissory note prior to disbursing of funds. Also recommend a procedure be put in place to ensure proper record retention documenting the completion of promissory note. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-002
2022 ? 002 Gramm-Leach-Bliley Act Federal agency: Department of Education Federal program title: Student Financial Aid ALN Numbers: Student Financial Aid Cluster Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College/University did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The organization did not perform an IT risk assessment tailored specifically to the organization, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The student personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the College engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-002
2022 ? 002 Gramm-Leach-Bliley Act Federal agency: Department of Education Federal program title: Student Financial Aid ALN Numbers: Student Financial Aid Cluster Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College/University did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The organization did not perform an IT risk assessment tailored specifically to the organization, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The student personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the College engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-002
2022 ? 002 Gramm-Leach-Bliley Act Federal agency: Department of Education Federal program title: Student Financial Aid ALN Numbers: Student Financial Aid Cluster Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College/University did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The organization did not perform an IT risk assessment tailored specifically to the organization, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The student personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the College engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-002
2022 ? 002 Gramm-Leach-Bliley Act Federal agency: Department of Education Federal program title: Student Financial Aid ALN Numbers: Student Financial Aid Cluster Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College/University did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The organization did not perform an IT risk assessment tailored specifically to the organization, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The student personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the College engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-002
2022 ? 002 Gramm-Leach-Bliley Act Federal agency: Department of Education Federal program title: Student Financial Aid ALN Numbers: Student Financial Aid Cluster Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College/University did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The organization did not perform an IT risk assessment tailored specifically to the organization, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The student personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the College engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-003
2022-003 Reporting Federal Agency: U.S. Department of Education Federal Program Title: Higher Education Emergency Relief Funds ALN Number: 84.425 Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: Per Uniform Guidance 2 CFR 200.303, federal entities receiving federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. The initial reporting for this grant requires the report to be submitted to the college or university?s website within 30 days of the signed Certification Agreement or 30 days after the electronic announcement dated May 6, whichever is later. Colleges and universities were then required to update their websites every 45 days after initial upload. This was changed to quarterly on August 31, 2020. In addition, an annual report is required. Condition: During our testing, we noted the student, institutional, and annual reports did not have documentation of their review prior to submission. Questioned Costs: None Context: A control system to prevent and detect errors in the reporting process was not created at the time the reports were filed and the College did not have a process to track the reporting requirements. In addition, there was a general lack of guidance from ED on reporting requirements. Cause: The College did not have a process in place to ensure reports were reviewed and documentation of review was maintained. Effect: The College did not comply with ED regulations by retaining support for the information reported to ensure accuracy. Repeat finding: No Recommendation: We recommend the College review their reporting procedures to ensure all required steps are included as well as the supporting documentation to prepare the report is retained. The reports should be reviewed by someone other than the preparer of the report and this review should be documented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-003
2022-003 Reporting Federal Agency: U.S. Department of Education Federal Program Title: Higher Education Emergency Relief Funds ALN Number: 84.425 Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: Per Uniform Guidance 2 CFR 200.303, federal entities receiving federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. The initial reporting for this grant requires the report to be submitted to the college or university?s website within 30 days of the signed Certification Agreement or 30 days after the electronic announcement dated May 6, whichever is later. Colleges and universities were then required to update their websites every 45 days after initial upload. This was changed to quarterly on August 31, 2020. In addition, an annual report is required. Condition: During our testing, we noted the student, institutional, and annual reports did not have documentation of their review prior to submission. Questioned Costs: None Context: A control system to prevent and detect errors in the reporting process was not created at the time the reports were filed and the College did not have a process to track the reporting requirements. In addition, there was a general lack of guidance from ED on reporting requirements. Cause: The College did not have a process in place to ensure reports were reviewed and documentation of review was maintained. Effect: The College did not comply with ED regulations by retaining support for the information reported to ensure accuracy. Repeat finding: No Recommendation: We recommend the College review their reporting procedures to ensure all required steps are included as well as the supporting documentation to prepare the report is retained. The reports should be reviewed by someone other than the preparer of the report and this review should be documented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2022-003
2022-003 Reporting Federal Agency: U.S. Department of Education Federal Program Title: Higher Education Emergency Relief Funds ALN Number: 84.425 Award Period: June 01, 2021 through May 31, 2022 Type of Finding: - Significant Deficiency in Internal Control over Compliance - Other Matters Criteria or specific requirement: Per Uniform Guidance 2 CFR 200.303, federal entities receiving federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. The initial reporting for this grant requires the report to be submitted to the college or university?s website within 30 days of the signed Certification Agreement or 30 days after the electronic announcement dated May 6, whichever is later. Colleges and universities were then required to update their websites every 45 days after initial upload. This was changed to quarterly on August 31, 2020. In addition, an annual report is required. Condition: During our testing, we noted the student, institutional, and annual reports did not have documentation of their review prior to submission. Questioned Costs: None Context: A control system to prevent and detect errors in the reporting process was not created at the time the reports were filed and the College did not have a process to track the reporting requirements. In addition, there was a general lack of guidance from ED on reporting requirements. Cause: The College did not have a process in place to ensure reports were reviewed and documentation of review was maintained. Effect: The College did not comply with ED regulations by retaining support for the information reported to ensure accuracy. Repeat finding: No Recommendation: We recommend the College review their reporting procedures to ensure all required steps are included as well as the supporting documentation to prepare the report is retained. The reports should be reviewed by someone other than the preparer of the report and this review should be documented. Views of responsible officials: There is no disagreement with the audit finding.