FAC Explorer

Audit 5881

FY End
2023-07-31
Total Expended
$6.47M
Findings
20
Programs
6
Organization: Cardinal Stritch University, Inc. (WI)
Year: 2023 Accepted: 2023-12-08
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
3722 2023-001 Significant Deficiency - N
3723 2023-002 Material Weakness - L
3724 2023-001 Significant Deficiency - N
3725 2023-002 Material Weakness - L
3726 2023-001 Significant Deficiency - N
3727 2023-002 Material Weakness - L
3728 2023-001 Significant Deficiency - N
3729 2023-002 Material Weakness - L
3730 2023-001 Significant Deficiency - N
3731 2023-002 Material Weakness - L
580164 2023-001 Significant Deficiency - N
580165 2023-002 Material Weakness - L
580166 2023-001 Significant Deficiency - N
580167 2023-002 Material Weakness - L
580168 2023-001 Significant Deficiency - N
580169 2023-002 Material Weakness - L
580170 2023-001 Significant Deficiency - N
580171 2023-002 Material Weakness - L
580172 2023-001 Significant Deficiency - N
580173 2023-002 Material Weakness - L

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $5.00M Yes 2
84.063 Federal Pell Grant Program $1.00M Yes 2
84.038 Federal Perkins Loan Program $351,749 Yes 2
84.007 Federal Supplemental Educational Opportunity Grants $82,888 Yes 2
84.033 Federal Work-Study Program $26,061 Yes 2
84.334 Gaining Early Awareness and Readiness for Undergraduate Programs $3,000 - 0

Contacts

Name Title Type
RJAJQEK32NP1 Thomas Oechler Auditee
4144104697 Jacob Lenell Auditor
No contacts on file

Notes to SEFA

Title: NOTE 2 - OVERSIGHT AND COGNIZANT AGENCIES Accounting Policies: The accompanying Schedules of Expenditures of Federal and State Awards (the Schedules) include the federal grant and state grant activity of Cardinal Stritch University, Inc. and is presented on the accrual basis of accounting. The information in these schedules are presented in accordance with the requirements of the Uniform Guidance and the Wisconsin State Single Audit Guidelines. Therefore, some amounts presented in these schedules may differ from amounts presented in, or used in the preparation of, the financial statements. Expenditures reported on the Schedules are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance and the Wisconsin State Single Audit Guidelines. Under these principles, certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedules represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. Federal and State awards include all grants, contracts, loans, and loan guarantee agreements entered into directly between the University and agencies and departments of the federal and state governments and all awards to the University by other organizations pursuant to federal and state grants, contracts, and similar agreements. The Schedules summarize expenditures by primary federal and state funding agencies. De Minimis Rate Used: N Rate Explanation: The University has elected to not use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance and the Wisconsin State Single Audit Guidelines. The University's federal oversight agency for audit is the U.S. Department of Education. The University's state cognizant agency is the Wisconsin Higher Education Aids Board. Grant monies received and disbursed by the University are for specific purposes and are subject to review and audit by the grantor agencies. Such audits may result in requests for reimbursement due to disallowed expenditures. Based upon prior experience, the University does not believe that such disallowances, if any, would have a material effect on the financial position of the University. As of July 31, 2023 management was not aware of any material questioned or disallowed costs as a result of grant audits in process or completed.
Title: NOTE 3 – FEDERAL STUDENT FINANCIAL AID PROGRAM CLUSTER (THE CLUSTER) Accounting Policies: The accompanying Schedules of Expenditures of Federal and State Awards (the Schedules) include the federal grant and state grant activity of Cardinal Stritch University, Inc. and is presented on the accrual basis of accounting. The information in these schedules are presented in accordance with the requirements of the Uniform Guidance and the Wisconsin State Single Audit Guidelines. Therefore, some amounts presented in these schedules may differ from amounts presented in, or used in the preparation of, the financial statements. Expenditures reported on the Schedules are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance and the Wisconsin State Single Audit Guidelines. Under these principles, certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedules represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. Federal and State awards include all grants, contracts, loans, and loan guarantee agreements entered into directly between the University and agencies and departments of the federal and state governments and all awards to the University by other organizations pursuant to federal and state grants, contracts, and similar agreements. The Schedules summarize expenditures by primary federal and state funding agencies. De Minimis Rate Used: N Rate Explanation: The University has elected to not use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance and the Wisconsin State Single Audit Guidelines. Federal awards to provide financial assistance to students are combined and considered to be a single program (Student Financial Aid Program Cluster) for major federal program determination. The amount of loans made during the year under federal government student loan programs are considered as disbursements for major program determination. The amounts included in the Schedules represent loans disbursed during the year, plus the related administrative charge. The Student Financial Aid Program Cluster represents the combination of awards by the U.S. Department of Education to provide financial assistance to students under the following programs: • Federal Supplemental Educational Opportunity Grants • Federal Work-Study Program • Federal Perkins Loan Program • Federal Pell Grant Program • Federal Direct Student Loans The University receives awards to make loans to eligible students under certain federal government student loan programs and federally guaranteed loans are issued to the students of the University by the Secretary of Education. These loans are considered for purposes of determining whether student financial assistance is a major program under the Uniform Guidance. The Federal Perkins Loan Program is administered by the University and its service organization. In addition, the Student Financial Aid Program Cluster includes the following federal government student loan programs which are administered by the Secretary of Education: • Subsidized Stafford Loans • Unsubsidized Stafford Loans • Parent Loans for Undergraduate Students The University is responsible only for the performance of certain administrative duties with respect to the federally guaranteed student loan programs, and, accordingly, these loans are not included in its financial statements and it is not practical to determine the balance of loans outstanding to students and former students of Cardinal Stritch University, Inc. under these programs at July 31, 2023. The Federal Perkins Loan Program are administered directly by the University, and balances and transactions relating to these programs are included in the University’s financial statements. Loans outstanding as of July 31, 2023 and 2022 were $327,166 and $344,485, respectively. Collection and administrative charges were $7,263 for the year ended July 31, 2023. There were no new Perkins Loans made during the year ended July 31, 2023.
Title: NOTE 4 – INDIRECT COSTS Accounting Policies: The accompanying Schedules of Expenditures of Federal and State Awards (the Schedules) include the federal grant and state grant activity of Cardinal Stritch University, Inc. and is presented on the accrual basis of accounting. The information in these schedules are presented in accordance with the requirements of the Uniform Guidance and the Wisconsin State Single Audit Guidelines. Therefore, some amounts presented in these schedules may differ from amounts presented in, or used in the preparation of, the financial statements. Expenditures reported on the Schedules are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance and the Wisconsin State Single Audit Guidelines. Under these principles, certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedules represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. Federal and State awards include all grants, contracts, loans, and loan guarantee agreements entered into directly between the University and agencies and departments of the federal and state governments and all awards to the University by other organizations pursuant to federal and state grants, contracts, and similar agreements. The Schedules summarize expenditures by primary federal and state funding agencies. De Minimis Rate Used: N Rate Explanation: The University has elected to not use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance and the Wisconsin State Single Audit Guidelines. The University has elected to not use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance and the Wisconsin State Single Audit Guidelines.
Title: NOTE 5 - SUBRECIPIENTS Accounting Policies: The accompanying Schedules of Expenditures of Federal and State Awards (the Schedules) include the federal grant and state grant activity of Cardinal Stritch University, Inc. and is presented on the accrual basis of accounting. The information in these schedules are presented in accordance with the requirements of the Uniform Guidance and the Wisconsin State Single Audit Guidelines. Therefore, some amounts presented in these schedules may differ from amounts presented in, or used in the preparation of, the financial statements. Expenditures reported on the Schedules are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance and the Wisconsin State Single Audit Guidelines. Under these principles, certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedules represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. Federal and State awards include all grants, contracts, loans, and loan guarantee agreements entered into directly between the University and agencies and departments of the federal and state governments and all awards to the University by other organizations pursuant to federal and state grants, contracts, and similar agreements. The Schedules summarize expenditures by primary federal and state funding agencies. De Minimis Rate Used: N Rate Explanation: The University has elected to not use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance and the Wisconsin State Single Audit Guidelines. The University did not pass any federal or state grant funding to any subrecipients for the year ending July 31, 2023.

Finding Details

Finding 2023-001
2023–001 GLBA Risk Assessment Requirements Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: P007A234487-2023, P268K242432-2023, P063P222432-2023, P033A224487-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: • Implement and periodically review access controls. • Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network. • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Upon reviewing the GLBA policies and procedures it was noted that University did not include the following required components as required in the stated criteria: • Multi-factor authentication, • Security program including vendor due diligence. Questioned costs: None noted. Context: The noncompliance with the stated criteria was identified in conjunction with our review of the GLBA policies and procedures manual and related supporting documentation. Cause: The University failed to include the multi-factor authentication and the security program including vendor due diligence in its GLBA policy and procedures manual and related supporting documentation. Effect: The University does not comply with certain requirements of the GLBA, as noted in the condition, which governs the treatment of nonpublic personal information about consumers. Repeat Finding: No Recommendation: We recommend that the University consider any modifications to the GLBA policy and procedures manual and related supporting documentation to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number and Year: P268K242432-2023, P063P222432-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Material Weakness in Internal Control over Compliance • Material Noncompliance (Modified Opinion) Criteria or specific requirement: Institutions are required to report enrollment information under the Pell grant and the Direct and FFEL loan programs via the NSLDS (OMB No. 1845-0035), although FFEL loans are no longer made or a part of the SFA Cluster, a student may have a FFEL loan from previous years that would require enrollment reporting for that student (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update, and verify student enrollment statuses, program information, and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website which the financial aid administrator can access for the auditor. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information. There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. The NSLDS Enrollment Reporting Guide provides the requirements and guidance for reporting enrollment details using the NSLDS Enrollment Reporting Process. Condition: The University could not provide documentation that the enrollment status reported in NSLDS was in agreement with the University’s records. Questioned costs: There are no questioned costs. Context: The University is in the process of winding down operations, and is no longer providing educational services, and no longer has access to the NSLDS system. Cause: The University no longer has access to the NSLDS system, and therefore could not provide documentation that the enrollment status reported in NSLDS was supported by the University’s records. Effect: The University failed to comply with the stated criteria. Repeat Finding: No Recommendation: We recommend that the University consider any NSLDS access and documentation requirements necessary to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023–001 GLBA Risk Assessment Requirements Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: P007A234487-2023, P268K242432-2023, P063P222432-2023, P033A224487-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: • Implement and periodically review access controls. • Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network. • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Upon reviewing the GLBA policies and procedures it was noted that University did not include the following required components as required in the stated criteria: • Multi-factor authentication, • Security program including vendor due diligence. Questioned costs: None noted. Context: The noncompliance with the stated criteria was identified in conjunction with our review of the GLBA policies and procedures manual and related supporting documentation. Cause: The University failed to include the multi-factor authentication and the security program including vendor due diligence in its GLBA policy and procedures manual and related supporting documentation. Effect: The University does not comply with certain requirements of the GLBA, as noted in the condition, which governs the treatment of nonpublic personal information about consumers. Repeat Finding: No Recommendation: We recommend that the University consider any modifications to the GLBA policy and procedures manual and related supporting documentation to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number and Year: P268K242432-2023, P063P222432-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Material Weakness in Internal Control over Compliance • Material Noncompliance (Modified Opinion) Criteria or specific requirement: Institutions are required to report enrollment information under the Pell grant and the Direct and FFEL loan programs via the NSLDS (OMB No. 1845-0035), although FFEL loans are no longer made or a part of the SFA Cluster, a student may have a FFEL loan from previous years that would require enrollment reporting for that student (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update, and verify student enrollment statuses, program information, and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website which the financial aid administrator can access for the auditor. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information. There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. The NSLDS Enrollment Reporting Guide provides the requirements and guidance for reporting enrollment details using the NSLDS Enrollment Reporting Process. Condition: The University could not provide documentation that the enrollment status reported in NSLDS was in agreement with the University’s records. Questioned costs: There are no questioned costs. Context: The University is in the process of winding down operations, and is no longer providing educational services, and no longer has access to the NSLDS system. Cause: The University no longer has access to the NSLDS system, and therefore could not provide documentation that the enrollment status reported in NSLDS was supported by the University’s records. Effect: The University failed to comply with the stated criteria. Repeat Finding: No Recommendation: We recommend that the University consider any NSLDS access and documentation requirements necessary to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023–001 GLBA Risk Assessment Requirements Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: P007A234487-2023, P268K242432-2023, P063P222432-2023, P033A224487-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: • Implement and periodically review access controls. • Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network. • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Upon reviewing the GLBA policies and procedures it was noted that University did not include the following required components as required in the stated criteria: • Multi-factor authentication, • Security program including vendor due diligence. Questioned costs: None noted. Context: The noncompliance with the stated criteria was identified in conjunction with our review of the GLBA policies and procedures manual and related supporting documentation. Cause: The University failed to include the multi-factor authentication and the security program including vendor due diligence in its GLBA policy and procedures manual and related supporting documentation. Effect: The University does not comply with certain requirements of the GLBA, as noted in the condition, which governs the treatment of nonpublic personal information about consumers. Repeat Finding: No Recommendation: We recommend that the University consider any modifications to the GLBA policy and procedures manual and related supporting documentation to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number and Year: P268K242432-2023, P063P222432-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Material Weakness in Internal Control over Compliance • Material Noncompliance (Modified Opinion) Criteria or specific requirement: Institutions are required to report enrollment information under the Pell grant and the Direct and FFEL loan programs via the NSLDS (OMB No. 1845-0035), although FFEL loans are no longer made or a part of the SFA Cluster, a student may have a FFEL loan from previous years that would require enrollment reporting for that student (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update, and verify student enrollment statuses, program information, and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website which the financial aid administrator can access for the auditor. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information. There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. The NSLDS Enrollment Reporting Guide provides the requirements and guidance for reporting enrollment details using the NSLDS Enrollment Reporting Process. Condition: The University could not provide documentation that the enrollment status reported in NSLDS was in agreement with the University’s records. Questioned costs: There are no questioned costs. Context: The University is in the process of winding down operations, and is no longer providing educational services, and no longer has access to the NSLDS system. Cause: The University no longer has access to the NSLDS system, and therefore could not provide documentation that the enrollment status reported in NSLDS was supported by the University’s records. Effect: The University failed to comply with the stated criteria. Repeat Finding: No Recommendation: We recommend that the University consider any NSLDS access and documentation requirements necessary to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023–001 GLBA Risk Assessment Requirements Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: P007A234487-2023, P268K242432-2023, P063P222432-2023, P033A224487-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: • Implement and periodically review access controls. • Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network. • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Upon reviewing the GLBA policies and procedures it was noted that University did not include the following required components as required in the stated criteria: • Multi-factor authentication, • Security program including vendor due diligence. Questioned costs: None noted. Context: The noncompliance with the stated criteria was identified in conjunction with our review of the GLBA policies and procedures manual and related supporting documentation. Cause: The University failed to include the multi-factor authentication and the security program including vendor due diligence in its GLBA policy and procedures manual and related supporting documentation. Effect: The University does not comply with certain requirements of the GLBA, as noted in the condition, which governs the treatment of nonpublic personal information about consumers. Repeat Finding: No Recommendation: We recommend that the University consider any modifications to the GLBA policy and procedures manual and related supporting documentation to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number and Year: P268K242432-2023, P063P222432-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Material Weakness in Internal Control over Compliance • Material Noncompliance (Modified Opinion) Criteria or specific requirement: Institutions are required to report enrollment information under the Pell grant and the Direct and FFEL loan programs via the NSLDS (OMB No. 1845-0035), although FFEL loans are no longer made or a part of the SFA Cluster, a student may have a FFEL loan from previous years that would require enrollment reporting for that student (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update, and verify student enrollment statuses, program information, and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website which the financial aid administrator can access for the auditor. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information. There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. The NSLDS Enrollment Reporting Guide provides the requirements and guidance for reporting enrollment details using the NSLDS Enrollment Reporting Process. Condition: The University could not provide documentation that the enrollment status reported in NSLDS was in agreement with the University’s records. Questioned costs: There are no questioned costs. Context: The University is in the process of winding down operations, and is no longer providing educational services, and no longer has access to the NSLDS system. Cause: The University no longer has access to the NSLDS system, and therefore could not provide documentation that the enrollment status reported in NSLDS was supported by the University’s records. Effect: The University failed to comply with the stated criteria. Repeat Finding: No Recommendation: We recommend that the University consider any NSLDS access and documentation requirements necessary to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023–001 GLBA Risk Assessment Requirements Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: P007A234487-2023, P268K242432-2023, P063P222432-2023, P033A224487-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: • Implement and periodically review access controls. • Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network. • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Upon reviewing the GLBA policies and procedures it was noted that University did not include the following required components as required in the stated criteria: • Multi-factor authentication, • Security program including vendor due diligence. Questioned costs: None noted. Context: The noncompliance with the stated criteria was identified in conjunction with our review of the GLBA policies and procedures manual and related supporting documentation. Cause: The University failed to include the multi-factor authentication and the security program including vendor due diligence in its GLBA policy and procedures manual and related supporting documentation. Effect: The University does not comply with certain requirements of the GLBA, as noted in the condition, which governs the treatment of nonpublic personal information about consumers. Repeat Finding: No Recommendation: We recommend that the University consider any modifications to the GLBA policy and procedures manual and related supporting documentation to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number and Year: P268K242432-2023, P063P222432-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Material Weakness in Internal Control over Compliance • Material Noncompliance (Modified Opinion) Criteria or specific requirement: Institutions are required to report enrollment information under the Pell grant and the Direct and FFEL loan programs via the NSLDS (OMB No. 1845-0035), although FFEL loans are no longer made or a part of the SFA Cluster, a student may have a FFEL loan from previous years that would require enrollment reporting for that student (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update, and verify student enrollment statuses, program information, and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website which the financial aid administrator can access for the auditor. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information. There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. The NSLDS Enrollment Reporting Guide provides the requirements and guidance for reporting enrollment details using the NSLDS Enrollment Reporting Process. Condition: The University could not provide documentation that the enrollment status reported in NSLDS was in agreement with the University’s records. Questioned costs: There are no questioned costs. Context: The University is in the process of winding down operations, and is no longer providing educational services, and no longer has access to the NSLDS system. Cause: The University no longer has access to the NSLDS system, and therefore could not provide documentation that the enrollment status reported in NSLDS was supported by the University’s records. Effect: The University failed to comply with the stated criteria. Repeat Finding: No Recommendation: We recommend that the University consider any NSLDS access and documentation requirements necessary to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023–001 GLBA Risk Assessment Requirements Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: P007A234487-2023, P268K242432-2023, P063P222432-2023, P033A224487-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: • Implement and periodically review access controls. • Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network. • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Upon reviewing the GLBA policies and procedures it was noted that University did not include the following required components as required in the stated criteria: • Multi-factor authentication, • Security program including vendor due diligence. Questioned costs: None noted. Context: The noncompliance with the stated criteria was identified in conjunction with our review of the GLBA policies and procedures manual and related supporting documentation. Cause: The University failed to include the multi-factor authentication and the security program including vendor due diligence in its GLBA policy and procedures manual and related supporting documentation. Effect: The University does not comply with certain requirements of the GLBA, as noted in the condition, which governs the treatment of nonpublic personal information about consumers. Repeat Finding: No Recommendation: We recommend that the University consider any modifications to the GLBA policy and procedures manual and related supporting documentation to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number and Year: P268K242432-2023, P063P222432-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Material Weakness in Internal Control over Compliance • Material Noncompliance (Modified Opinion) Criteria or specific requirement: Institutions are required to report enrollment information under the Pell grant and the Direct and FFEL loan programs via the NSLDS (OMB No. 1845-0035), although FFEL loans are no longer made or a part of the SFA Cluster, a student may have a FFEL loan from previous years that would require enrollment reporting for that student (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update, and verify student enrollment statuses, program information, and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website which the financial aid administrator can access for the auditor. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information. There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. The NSLDS Enrollment Reporting Guide provides the requirements and guidance for reporting enrollment details using the NSLDS Enrollment Reporting Process. Condition: The University could not provide documentation that the enrollment status reported in NSLDS was in agreement with the University’s records. Questioned costs: There are no questioned costs. Context: The University is in the process of winding down operations, and is no longer providing educational services, and no longer has access to the NSLDS system. Cause: The University no longer has access to the NSLDS system, and therefore could not provide documentation that the enrollment status reported in NSLDS was supported by the University’s records. Effect: The University failed to comply with the stated criteria. Repeat Finding: No Recommendation: We recommend that the University consider any NSLDS access and documentation requirements necessary to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023–001 GLBA Risk Assessment Requirements Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: P007A234487-2023, P268K242432-2023, P063P222432-2023, P033A224487-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: • Implement and periodically review access controls. • Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network. • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Upon reviewing the GLBA policies and procedures it was noted that University did not include the following required components as required in the stated criteria: • Multi-factor authentication, • Security program including vendor due diligence. Questioned costs: None noted. Context: The noncompliance with the stated criteria was identified in conjunction with our review of the GLBA policies and procedures manual and related supporting documentation. Cause: The University failed to include the multi-factor authentication and the security program including vendor due diligence in its GLBA policy and procedures manual and related supporting documentation. Effect: The University does not comply with certain requirements of the GLBA, as noted in the condition, which governs the treatment of nonpublic personal information about consumers. Repeat Finding: No Recommendation: We recommend that the University consider any modifications to the GLBA policy and procedures manual and related supporting documentation to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number and Year: P268K242432-2023, P063P222432-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Material Weakness in Internal Control over Compliance • Material Noncompliance (Modified Opinion) Criteria or specific requirement: Institutions are required to report enrollment information under the Pell grant and the Direct and FFEL loan programs via the NSLDS (OMB No. 1845-0035), although FFEL loans are no longer made or a part of the SFA Cluster, a student may have a FFEL loan from previous years that would require enrollment reporting for that student (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update, and verify student enrollment statuses, program information, and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website which the financial aid administrator can access for the auditor. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information. There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. The NSLDS Enrollment Reporting Guide provides the requirements and guidance for reporting enrollment details using the NSLDS Enrollment Reporting Process. Condition: The University could not provide documentation that the enrollment status reported in NSLDS was in agreement with the University’s records. Questioned costs: There are no questioned costs. Context: The University is in the process of winding down operations, and is no longer providing educational services, and no longer has access to the NSLDS system. Cause: The University no longer has access to the NSLDS system, and therefore could not provide documentation that the enrollment status reported in NSLDS was supported by the University’s records. Effect: The University failed to comply with the stated criteria. Repeat Finding: No Recommendation: We recommend that the University consider any NSLDS access and documentation requirements necessary to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023–001 GLBA Risk Assessment Requirements Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: P007A234487-2023, P268K242432-2023, P063P222432-2023, P033A224487-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: • Implement and periodically review access controls. • Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network. • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Upon reviewing the GLBA policies and procedures it was noted that University did not include the following required components as required in the stated criteria: • Multi-factor authentication, • Security program including vendor due diligence. Questioned costs: None noted. Context: The noncompliance with the stated criteria was identified in conjunction with our review of the GLBA policies and procedures manual and related supporting documentation. Cause: The University failed to include the multi-factor authentication and the security program including vendor due diligence in its GLBA policy and procedures manual and related supporting documentation. Effect: The University does not comply with certain requirements of the GLBA, as noted in the condition, which governs the treatment of nonpublic personal information about consumers. Repeat Finding: No Recommendation: We recommend that the University consider any modifications to the GLBA policy and procedures manual and related supporting documentation to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number and Year: P268K242432-2023, P063P222432-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Material Weakness in Internal Control over Compliance • Material Noncompliance (Modified Opinion) Criteria or specific requirement: Institutions are required to report enrollment information under the Pell grant and the Direct and FFEL loan programs via the NSLDS (OMB No. 1845-0035), although FFEL loans are no longer made or a part of the SFA Cluster, a student may have a FFEL loan from previous years that would require enrollment reporting for that student (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update, and verify student enrollment statuses, program information, and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website which the financial aid administrator can access for the auditor. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information. There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. The NSLDS Enrollment Reporting Guide provides the requirements and guidance for reporting enrollment details using the NSLDS Enrollment Reporting Process. Condition: The University could not provide documentation that the enrollment status reported in NSLDS was in agreement with the University’s records. Questioned costs: There are no questioned costs. Context: The University is in the process of winding down operations, and is no longer providing educational services, and no longer has access to the NSLDS system. Cause: The University no longer has access to the NSLDS system, and therefore could not provide documentation that the enrollment status reported in NSLDS was supported by the University’s records. Effect: The University failed to comply with the stated criteria. Repeat Finding: No Recommendation: We recommend that the University consider any NSLDS access and documentation requirements necessary to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023–001 GLBA Risk Assessment Requirements Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: P007A234487-2023, P268K242432-2023, P063P222432-2023, P033A224487-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: • Implement and periodically review access controls. • Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network. • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Upon reviewing the GLBA policies and procedures it was noted that University did not include the following required components as required in the stated criteria: • Multi-factor authentication, • Security program including vendor due diligence. Questioned costs: None noted. Context: The noncompliance with the stated criteria was identified in conjunction with our review of the GLBA policies and procedures manual and related supporting documentation. Cause: The University failed to include the multi-factor authentication and the security program including vendor due diligence in its GLBA policy and procedures manual and related supporting documentation. Effect: The University does not comply with certain requirements of the GLBA, as noted in the condition, which governs the treatment of nonpublic personal information about consumers. Repeat Finding: No Recommendation: We recommend that the University consider any modifications to the GLBA policy and procedures manual and related supporting documentation to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number and Year: P268K242432-2023, P063P222432-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Material Weakness in Internal Control over Compliance • Material Noncompliance (Modified Opinion) Criteria or specific requirement: Institutions are required to report enrollment information under the Pell grant and the Direct and FFEL loan programs via the NSLDS (OMB No. 1845-0035), although FFEL loans are no longer made or a part of the SFA Cluster, a student may have a FFEL loan from previous years that would require enrollment reporting for that student (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update, and verify student enrollment statuses, program information, and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website which the financial aid administrator can access for the auditor. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information. There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. The NSLDS Enrollment Reporting Guide provides the requirements and guidance for reporting enrollment details using the NSLDS Enrollment Reporting Process. Condition: The University could not provide documentation that the enrollment status reported in NSLDS was in agreement with the University’s records. Questioned costs: There are no questioned costs. Context: The University is in the process of winding down operations, and is no longer providing educational services, and no longer has access to the NSLDS system. Cause: The University no longer has access to the NSLDS system, and therefore could not provide documentation that the enrollment status reported in NSLDS was supported by the University’s records. Effect: The University failed to comply with the stated criteria. Repeat Finding: No Recommendation: We recommend that the University consider any NSLDS access and documentation requirements necessary to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023–001 GLBA Risk Assessment Requirements Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: P007A234487-2023, P268K242432-2023, P063P222432-2023, P033A224487-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: • Implement and periodically review access controls. • Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network. • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Upon reviewing the GLBA policies and procedures it was noted that University did not include the following required components as required in the stated criteria: • Multi-factor authentication, • Security program including vendor due diligence. Questioned costs: None noted. Context: The noncompliance with the stated criteria was identified in conjunction with our review of the GLBA policies and procedures manual and related supporting documentation. Cause: The University failed to include the multi-factor authentication and the security program including vendor due diligence in its GLBA policy and procedures manual and related supporting documentation. Effect: The University does not comply with certain requirements of the GLBA, as noted in the condition, which governs the treatment of nonpublic personal information about consumers. Repeat Finding: No Recommendation: We recommend that the University consider any modifications to the GLBA policy and procedures manual and related supporting documentation to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number and Year: P268K242432-2023, P063P222432-2023 Award Period: August 1, 2022 to July 31, 2023 Type of Finding: • Material Weakness in Internal Control over Compliance • Material Noncompliance (Modified Opinion) Criteria or specific requirement: Institutions are required to report enrollment information under the Pell grant and the Direct and FFEL loan programs via the NSLDS (OMB No. 1845-0035), although FFEL loans are no longer made or a part of the SFA Cluster, a student may have a FFEL loan from previous years that would require enrollment reporting for that student (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update, and verify student enrollment statuses, program information, and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website which the financial aid administrator can access for the auditor. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information. There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. The NSLDS Enrollment Reporting Guide provides the requirements and guidance for reporting enrollment details using the NSLDS Enrollment Reporting Process. Condition: The University could not provide documentation that the enrollment status reported in NSLDS was in agreement with the University’s records. Questioned costs: There are no questioned costs. Context: The University is in the process of winding down operations, and is no longer providing educational services, and no longer has access to the NSLDS system. Cause: The University no longer has access to the NSLDS system, and therefore could not provide documentation that the enrollment status reported in NSLDS was supported by the University’s records. Effect: The University failed to comply with the stated criteria. Repeat Finding: No Recommendation: We recommend that the University consider any NSLDS access and documentation requirements necessary to ensure compliance with the stated criteria. Views of responsible officials: There is no disagreement with the audit finding.