Finding 2022-01 - Gramm-Leach Bliley Act (GLBA) ALN: 84.268 Federal Direct Loan Program; 84.063 Federal Pell Grant Program, 84.033 Federal Work Study Program, 84.007 Federal Supplemental Education Opportunity Grant; 84.038 Federal Perkins Loan Program Award Year: July 1, 2021 - June 30, 2022 Federal Agency: U.S. Department of Education Pass Through Entity: Not applicable Criteria: In accordance with Title IV regulations (CFR 314.1 (b)), an Institution must protect student financial aid information by designating an individual to coordinate the information security program, perform a risk assessment that addresses (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Condition: The University has not performed a risk assessments to address (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks as required by the Gramm-Leach Bliley Act (GLBA). In addition, the University has not documented safeguards for identified risks. Cause: The University did not have an updated security assessment completed during the year to address procedures and processes in place specific to GLBA and therefore, did not document the required risk assessment or risk mitigation. Effect: With no updated policies and procedures surrounding student information security, the University may be susceptible to threats of consumer nonpublic personal information. Failure to comply with GLBA standards may bring penalties ranging from monetary fines to restriction or loss of eligibility for Title IV funding. Questioned Costs: None. Recommendation: The University should perform and document an annual risk assessment to determine the University's specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the University should have at least one risk statement aligned or referenced to each of the three required areas noted in the GLBA law at 16 CFR 314.4 (b). Finally, the University should identify and document at least one safeguard (i.e., control) for each of the risks identified and document in the risk assessment. Each control should be aligned or referenced to the risk(s) to which the safeguard applies. Management Response: While a specific GLBA audit has not been performed, the University does have a well-developed document titled "Institutional Policies for Safety, Security and Technology" which was released in September 2020. There are policies and procedures within that indirectly address the requirements of GLBA. The Chief Information Officer (CIO) position was transitioned in 2022 and the new CIO noted that the University had not engaged with any new vendor to produce a Security Assessment Report during fiscal year 2022. The University has since engaged with the Cybersecurity and Infrastructure Agency (CISA) to perform vulnerability scanning and penetration testing reporting, so they now have operational security assessment reports from CISA that serve as the framework for applying patches and identifying equipment that needs attention. The University implemented the security assessments in the Fall of 2022. The University has taken the following steps to address the risks identified during the audit: 1. Employee Training and Management a. The University deployed the Knowbe4 Security Awareness Program to all full time staff. The program provides training for managing user data and email messages. To date the University has distributed two campaigns to combat email phishing attempts. 2. Information systems, including network and software design, as well as information processing, storage, transmission and disposal a. The University has formulated a digital transformation strategy to reduce on premises systems and applications. All the critical business systems are hosted at a colocation or are SaaS solutions. b. The University performs backups of all on premises systems using technology that creates immutable storage. c. The University leverages the cybersecurity experience of resellers and manufacturers to ensure all core network technology is installed and configured to minimize any attack surface. 3. Detecting, preventing, and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks as required by the Gramm-Leach Bliley Act (GLBA). a. The University has deployed a redundant pair of Fortinet Advanced Firewalls to monitor and block traffic with suspicious payloads. b. The University has updated to the latest version of Microsoft Advanced Threat Defender to serve as optimal end point protection for managing email traffic. c. The University contracted with the Cybersecurity and Infrastructure Security Agency (CISA) to perform vulnerability scans and penetration testing. The IT department evaluates the weekly reports and remediates highlighted deficiencies. d. The University has removed all admin rights from school managed computers, eliminating the ability to install local software. e. The University has deployed an updated VPN client to all school managed computers providing a secure tunnel for access network services. f. The University manages web browsers of all school managed computers.
Finding 2022-02 ? Enrollment Reporting ALN: 84.268 Federal Direct Loan Program; 84.063 Federal Pell Grant Program Award Year: July 1, 2021 - June 30, 2022 Federal Agency: U.S. Department of Education Pass Through Entity: Not applicable Criteria: Title IV regulations (34 CFR 685.309(b)) require that upon receipt of an enrollment report from the Secretary of Education (Secretary), institutions must update all information included in the report and return the report to the Secretary: (i) in the manner and format prescribed by the Secretary; and (ii) within the timeframe prescribed by the Secretary. Unless it expects to submit its next updated enrollment report to the Secretary within the next 60 days, an institution must notify the Secretary within 30 days after the date the institution discovers that: (i) a loan under Title IV of the Act was made to or on behalf of a student who was enrolled or accepted for enrollment at the institution, and the student has ceased to be enrolled on at least a half-time basis or failed to enroll on at least a halftime basis for the period for which the loan was intended; or (ii) a student who is enrolled at the institution and who received a loan under Title IV of the Act has changed his or her permanent address. Condition: The change in student status for one of twenty-five students tested was not reported to the National Student Loan Data System (NSLDS) within 30 days or included in a response to a roster file within 60 days. However, the student was ultimately reported to the National Student Data Loan System. Cause: For this student who withdrew from the University, the University?s procedures for reporting the change in status were not designed appropriately in order to allow for timely reporting to the NSLDS. Effect: The accuracy of Title IV student loan records depends heavily on the accuracy of the enrollment information reported by schools. If an institution does not review, update, and verify student enrollment statuses, effective dates of the enrollment status, and the anticipated completion dates, the Title IV student loan records will be inaccurate. Questioned Costs: None. Recommendation: The University should revise its procedures to ensure accurate enrollment information is sent to the NSLDS within the required timeframe for all students and that notifications between departments are communicated timely. Management Response: As of the date that this student withdrew, the Registrar's office was working with the Information Technology (IT) department to implement a process of receiving automatic email notifications when a student has been determined as withdrawn in the student management system (Colleague). At the beginning of calendar year 2022, these notifications were implemented and are now sent to the Registrar?s Office, Student Billing Office, Residence Life Office, and the Financial Aid Office, notifying them when a student is withdrawn from all of their courses. These notifications will now help mitigate the risk of untimely reporting. Additionally, the University has created a weekly report that is pulled by the Registrar?s Office to find students who are active but not enrolled or listed as on Leave Of Absence (LOA) but are not enrolled in a future class.
Finding 2022-03 - Cash Management ALN: 84.425E COVID-19 - Higher Education Emergency Relief Fund (HEERF) - Student Portion Award Year: July 1, 2021 - June 30, 2022 Federal Agency: U.S. Department of Education Pass Through Entity: Not applicable Criteria: The U.S. Department of Education (ED) communicated updated cash management guidance for the HEERF through the release of the HEERF II FAQs on January 14, 2021. The HEERF II FAQ #17 specified that grantees are under an obligation to minimize the time between drawing down funds from G5 and paying obligations incurred by the grantee. ED considered institutions compliant if they paid from the HEERF funds emergency grants to students within 15 days of the draw down and for all other uses within 3 days. The Uniform Guidance requires the identification and documentation of costs as federal expenditures to occur prior to or within the timeframe established for paying obligations when grantees must follow enhanced cash management requirements. Condition: The University drew down $53,560 of HEERF funds from the student portion in August 2021 however, a majority of those funds were not disbursed to students within the 15 days after the draw down occurred. Cause: The University was unsure of how the threat of rescission of HEERF funds, communicated by NAASFAA on August 17, 2021, would affect any of their outstanding funding. Therefore, the funds were drawn so as not to be potentially rescinded, but were not distributed to students within the 15 day time frame. Effect: The University could have drawn down funds for ineligible costs or with improper timing if sufficient allowable costs had not been identified that occurred prior to or within 15 days of the drawdown date. If ED identifies an institution as having an elevated risk or are suspected of improperly administering their HEERF grant funds, ED has a range of possible enforcement actions which could include heightened or more frequent reporting, monitoring or auditing of an institution and placing the HEERF grants on ?Route Payment Status?, which requires prior authorization from ED to draw down any remaining funds. As of the audit report date, the University has not received any notifications of any enforcement actions taken against the University related to the HEERF program. Questioned Costs: None. Recommendation: We recommend that the University implement controls and processes to ensure that all expenses are properly identified and documented before any drawdowns are made. Management Response: The funding was drawn down as the result of news publications from various sources in August 2021 indicating that the infrastructure package threatened to take away unused relief funds. At the time, no creditable source was able to confirm whether this meant the University would lose unused HEERF II and III funds. To safeguard the student funding, the University drew down the remaining balance for HEERF II, knowing they would have students to award the funds to shortly thereafter. All other HEERF awards were drawn down on a reimbursement basis.
Finding 2022-01 - Gramm-Leach Bliley Act (GLBA) ALN: 84.268 Federal Direct Loan Program; 84.063 Federal Pell Grant Program, 84.033 Federal Work Study Program, 84.007 Federal Supplemental Education Opportunity Grant; 84.038 Federal Perkins Loan Program Award Year: July 1, 2021 - June 30, 2022 Federal Agency: U.S. Department of Education Pass Through Entity: Not applicable Criteria: In accordance with Title IV regulations (CFR 314.1 (b)), an Institution must protect student financial aid information by designating an individual to coordinate the information security program, perform a risk assessment that addresses (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Condition: The University has not performed a risk assessments to address (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks as required by the Gramm-Leach Bliley Act (GLBA). In addition, the University has not documented safeguards for identified risks. Cause: The University did not have an updated security assessment completed during the year to address procedures and processes in place specific to GLBA and therefore, did not document the required risk assessment or risk mitigation. Effect: With no updated policies and procedures surrounding student information security, the University may be susceptible to threats of consumer nonpublic personal information. Failure to comply with GLBA standards may bring penalties ranging from monetary fines to restriction or loss of eligibility for Title IV funding. Questioned Costs: None. Recommendation: The University should perform and document an annual risk assessment to determine the University's specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the University should have at least one risk statement aligned or referenced to each of the three required areas noted in the GLBA law at 16 CFR 314.4 (b). Finally, the University should identify and document at least one safeguard (i.e., control) for each of the risks identified and document in the risk assessment. Each control should be aligned or referenced to the risk(s) to which the safeguard applies. Management Response: While a specific GLBA audit has not been performed, the University does have a well-developed document titled "Institutional Policies for Safety, Security and Technology" which was released in September 2020. There are policies and procedures within that indirectly address the requirements of GLBA. The Chief Information Officer (CIO) position was transitioned in 2022 and the new CIO noted that the University had not engaged with any new vendor to produce a Security Assessment Report during fiscal year 2022. The University has since engaged with the Cybersecurity and Infrastructure Agency (CISA) to perform vulnerability scanning and penetration testing reporting, so they now have operational security assessment reports from CISA that serve as the framework for applying patches and identifying equipment that needs attention. The University implemented the security assessments in the Fall of 2022. The University has taken the following steps to address the risks identified during the audit: 1. Employee Training and Management a. The University deployed the Knowbe4 Security Awareness Program to all full time staff. The program provides training for managing user data and email messages. To date the University has distributed two campaigns to combat email phishing attempts. 2. Information systems, including network and software design, as well as information processing, storage, transmission and disposal a. The University has formulated a digital transformation strategy to reduce on premises systems and applications. All the critical business systems are hosted at a colocation or are SaaS solutions. b. The University performs backups of all on premises systems using technology that creates immutable storage. c. The University leverages the cybersecurity experience of resellers and manufacturers to ensure all core network technology is installed and configured to minimize any attack surface. 3. Detecting, preventing, and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks as required by the Gramm-Leach Bliley Act (GLBA). a. The University has deployed a redundant pair of Fortinet Advanced Firewalls to monitor and block traffic with suspicious payloads. b. The University has updated to the latest version of Microsoft Advanced Threat Defender to serve as optimal end point protection for managing email traffic. c. The University contracted with the Cybersecurity and Infrastructure Security Agency (CISA) to perform vulnerability scans and penetration testing. The IT department evaluates the weekly reports and remediates highlighted deficiencies. d. The University has removed all admin rights from school managed computers, eliminating the ability to install local software. e. The University has deployed an updated VPN client to all school managed computers providing a secure tunnel for access network services. f. The University manages web browsers of all school managed computers.
Finding 2022-02 ? Enrollment Reporting ALN: 84.268 Federal Direct Loan Program; 84.063 Federal Pell Grant Program Award Year: July 1, 2021 - June 30, 2022 Federal Agency: U.S. Department of Education Pass Through Entity: Not applicable Criteria: Title IV regulations (34 CFR 685.309(b)) require that upon receipt of an enrollment report from the Secretary of Education (Secretary), institutions must update all information included in the report and return the report to the Secretary: (i) in the manner and format prescribed by the Secretary; and (ii) within the timeframe prescribed by the Secretary. Unless it expects to submit its next updated enrollment report to the Secretary within the next 60 days, an institution must notify the Secretary within 30 days after the date the institution discovers that: (i) a loan under Title IV of the Act was made to or on behalf of a student who was enrolled or accepted for enrollment at the institution, and the student has ceased to be enrolled on at least a half-time basis or failed to enroll on at least a halftime basis for the period for which the loan was intended; or (ii) a student who is enrolled at the institution and who received a loan under Title IV of the Act has changed his or her permanent address. Condition: The change in student status for one of twenty-five students tested was not reported to the National Student Loan Data System (NSLDS) within 30 days or included in a response to a roster file within 60 days. However, the student was ultimately reported to the National Student Data Loan System. Cause: For this student who withdrew from the University, the University?s procedures for reporting the change in status were not designed appropriately in order to allow for timely reporting to the NSLDS. Effect: The accuracy of Title IV student loan records depends heavily on the accuracy of the enrollment information reported by schools. If an institution does not review, update, and verify student enrollment statuses, effective dates of the enrollment status, and the anticipated completion dates, the Title IV student loan records will be inaccurate. Questioned Costs: None. Recommendation: The University should revise its procedures to ensure accurate enrollment information is sent to the NSLDS within the required timeframe for all students and that notifications between departments are communicated timely. Management Response: As of the date that this student withdrew, the Registrar's office was working with the Information Technology (IT) department to implement a process of receiving automatic email notifications when a student has been determined as withdrawn in the student management system (Colleague). At the beginning of calendar year 2022, these notifications were implemented and are now sent to the Registrar?s Office, Student Billing Office, Residence Life Office, and the Financial Aid Office, notifying them when a student is withdrawn from all of their courses. These notifications will now help mitigate the risk of untimely reporting. Additionally, the University has created a weekly report that is pulled by the Registrar?s Office to find students who are active but not enrolled or listed as on Leave Of Absence (LOA) but are not enrolled in a future class.
Finding 2022-03 - Cash Management ALN: 84.425E COVID-19 - Higher Education Emergency Relief Fund (HEERF) - Student Portion Award Year: July 1, 2021 - June 30, 2022 Federal Agency: U.S. Department of Education Pass Through Entity: Not applicable Criteria: The U.S. Department of Education (ED) communicated updated cash management guidance for the HEERF through the release of the HEERF II FAQs on January 14, 2021. The HEERF II FAQ #17 specified that grantees are under an obligation to minimize the time between drawing down funds from G5 and paying obligations incurred by the grantee. ED considered institutions compliant if they paid from the HEERF funds emergency grants to students within 15 days of the draw down and for all other uses within 3 days. The Uniform Guidance requires the identification and documentation of costs as federal expenditures to occur prior to or within the timeframe established for paying obligations when grantees must follow enhanced cash management requirements. Condition: The University drew down $53,560 of HEERF funds from the student portion in August 2021 however, a majority of those funds were not disbursed to students within the 15 days after the draw down occurred. Cause: The University was unsure of how the threat of rescission of HEERF funds, communicated by NAASFAA on August 17, 2021, would affect any of their outstanding funding. Therefore, the funds were drawn so as not to be potentially rescinded, but were not distributed to students within the 15 day time frame. Effect: The University could have drawn down funds for ineligible costs or with improper timing if sufficient allowable costs had not been identified that occurred prior to or within 15 days of the drawdown date. If ED identifies an institution as having an elevated risk or are suspected of improperly administering their HEERF grant funds, ED has a range of possible enforcement actions which could include heightened or more frequent reporting, monitoring or auditing of an institution and placing the HEERF grants on ?Route Payment Status?, which requires prior authorization from ED to draw down any remaining funds. As of the audit report date, the University has not received any notifications of any enforcement actions taken against the University related to the HEERF program. Questioned Costs: None. Recommendation: We recommend that the University implement controls and processes to ensure that all expenses are properly identified and documented before any drawdowns are made. Management Response: The funding was drawn down as the result of news publications from various sources in August 2021 indicating that the infrastructure package threatened to take away unused relief funds. At the time, no creditable source was able to confirm whether this meant the University would lose unused HEERF II and III funds. To safeguard the student funding, the University drew down the remaining balance for HEERF II, knowing they would have students to award the funds to shortly thereafter. All other HEERF awards were drawn down on a reimbursement basis.