FAC Explorer

Audit 7568

FY End
2023-06-30
Total Expended
$13.69M
Findings
14
Programs
13
Organization: Saint Martin's University (WA)
Year: 2023 Accepted: 2023-12-19
Auditor: Moss Adams LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
5642 2023-001 Significant Deficiency - N
5643 2023-001 Significant Deficiency - N
5644 2023-002 Significant Deficiency - N
5645 2023-002 Significant Deficiency - N
5646 2023-002 Significant Deficiency - N
5647 2023-002 Significant Deficiency - N
5648 2023-002 Significant Deficiency - N
582084 2023-001 Significant Deficiency - N
582085 2023-001 Significant Deficiency - N
582086 2023-002 Significant Deficiency - N
582087 2023-002 Significant Deficiency - N
582088 2023-002 Significant Deficiency - N
582089 2023-002 Significant Deficiency - N
582090 2023-002 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $9.29M Yes 2
84.063 Federal Pell Grant Program $2.86M Yes 2
93.178 Nursing Workforce Diversity $533,421 - 0
84.031 Higher Education_institutional Aid $283,776 - 0
84.033 Federal Work-Study Program $230,715 Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $178,595 Yes 1
84.038 Federal Perkins Loan Program $135,882 Yes 0
93.732 Mental and Behavioral Health Education and Training Grants $57,500 - 0
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $35,833 Yes 1
84.116 Fund for the Improvement of Postsecondary Education $33,848 - 0
47.074 Biological Sciences $24,809 - 0
47.049 Mathematical and Physical Sciences $22,620 - 0
21.009 Volunteer Income Tax Assistance (vita) Matching Grant Program $5,748 - 0

Contacts

Name Title Type
X1JTKJDRL5M7 Stefanie Powell Auditee
3606882470 Scott Simpson Auditor
No contacts on file

Notes to SEFA

Title: Basis of Presentation Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: N/A The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal award activity of Saint Martin’s University (the University) under programs of the federal government for the year ended June 30, 2023. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the University, it is not intended to and does not present the financial position, changes in net assets, or cash flows of the University.

Finding Details

Finding 2023-001
2023-001 – Return of Title IV Funds – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans Federal Award Number: P063P220416, P268K230416 Award Year: 2022-23 Criteria: When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date (34 CFR 668.22). Per 34 CFR 668.22(c)(4), An institution not required to take attendance must document a student's withdrawal date determined in accordance with 34 CFR 668.22(c) paragraphs (1), (2) & (3) and maintain the documentation as of the date of the institution's determination that the student withdrew as defined in 34 CFR 668.22(l)(3). Condition/context: A sample of 7 students (6 official and 1 unofficial) out of a population of 35 students who were identified by the University as having withdrawn from the institution during the fiscal year was selected for testing. For the 6 official withdrawal selections, the University was unable to provide sufficient evidence to support the withdrawal date used in the calculation of Title IV funds to be returned. Our sample was not, and was not intended to be, statistically valid. Questioned costs: Undetermined Cause/Effect: This occurred because of a lack of implementation of procedures and controls to ensure records used in the calculation of title IV funds to be returned were properly maintained. There was turn over during the fiscal year in the student financial aid department, and the University was also utilizing third parties to assist in some student financial aid functions in the interim. Because procedures and controls were not operating as intended, the University is unable to support the dates used to determine the amount of Title IV funds earned and to be returned. Repeat finding: No Recommendation: We recommend the University further educate and train those involved in the Financial Aid department regarding the return to Title IV requirements. We also recommend that the University review procedures and controls and ensure they are properly designed and implemented to ensure calculations are occurring accurately and timely, and that the support used to complete calculations, including indication of withdrawal date, is properly documented and maintained. Views of responsible officials and planned corrective actions: As of June 2023, the Financial Aid department has a full-time Director, who is responsible for the Return to Title IV (R2T4) determinations. Following the regulations set forth by the Department of Education on R2T4 calculations for schools not required to take attendance, we have reviewed procedures and controls to ensure they are properly designed and implemented to ensure calculations are occurring accurately and timely. Going forward, we will ensure maintenance of proper documentation on students requiring a calculation, including indication of withdrawal date. Potential R2T4 calculations audits are now run multiple times a week, and will continue to be, in order to address timely calculations. The Director plans to continue education in the area of R2T4 calculations to maintain the most accurate and updated information on the topic
Finding 2023-001
2023-001 – Return of Title IV Funds – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans Federal Award Number: P063P220416, P268K230416 Award Year: 2022-23 Criteria: When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date (34 CFR 668.22). Per 34 CFR 668.22(c)(4), An institution not required to take attendance must document a student's withdrawal date determined in accordance with 34 CFR 668.22(c) paragraphs (1), (2) & (3) and maintain the documentation as of the date of the institution's determination that the student withdrew as defined in 34 CFR 668.22(l)(3). Condition/context: A sample of 7 students (6 official and 1 unofficial) out of a population of 35 students who were identified by the University as having withdrawn from the institution during the fiscal year was selected for testing. For the 6 official withdrawal selections, the University was unable to provide sufficient evidence to support the withdrawal date used in the calculation of Title IV funds to be returned. Our sample was not, and was not intended to be, statistically valid. Questioned costs: Undetermined Cause/Effect: This occurred because of a lack of implementation of procedures and controls to ensure records used in the calculation of title IV funds to be returned were properly maintained. There was turn over during the fiscal year in the student financial aid department, and the University was also utilizing third parties to assist in some student financial aid functions in the interim. Because procedures and controls were not operating as intended, the University is unable to support the dates used to determine the amount of Title IV funds earned and to be returned. Repeat finding: No Recommendation: We recommend the University further educate and train those involved in the Financial Aid department regarding the return to Title IV requirements. We also recommend that the University review procedures and controls and ensure they are properly designed and implemented to ensure calculations are occurring accurately and timely, and that the support used to complete calculations, including indication of withdrawal date, is properly documented and maintained. Views of responsible officials and planned corrective actions: As of June 2023, the Financial Aid department has a full-time Director, who is responsible for the Return to Title IV (R2T4) determinations. Following the regulations set forth by the Department of Education on R2T4 calculations for schools not required to take attendance, we have reviewed procedures and controls to ensure they are properly designed and implemented to ensure calculations are occurring accurately and timely. Going forward, we will ensure maintenance of proper documentation on students requiring a calculation, including indication of withdrawal date. Potential R2T4 calculations audits are now run multiple times a week, and will continue to be, in order to address timely calculations. The Director plans to continue education in the area of R2T4 calculations to maintain the most accurate and updated information on the topic
Finding 2023-002
2023-002 – Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P220416, P268K230416, P007A224401, P033A224401, P379T230416 Award Year: 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/Effect: The Integrated Technology Services, the department primarily charged with oversight of Saint Martin’s information security program, has experienced turnover in recent years including the unexpected death of a staff member in spring 2023. The staff shortages have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: No Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2023-002
2023-002 – Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P220416, P268K230416, P007A224401, P033A224401, P379T230416 Award Year: 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/Effect: The Integrated Technology Services, the department primarily charged with oversight of Saint Martin’s information security program, has experienced turnover in recent years including the unexpected death of a staff member in spring 2023. The staff shortages have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: No Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2023-002
2023-002 – Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P220416, P268K230416, P007A224401, P033A224401, P379T230416 Award Year: 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/Effect: The Integrated Technology Services, the department primarily charged with oversight of Saint Martin’s information security program, has experienced turnover in recent years including the unexpected death of a staff member in spring 2023. The staff shortages have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: No Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2023-002
2023-002 – Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P220416, P268K230416, P007A224401, P033A224401, P379T230416 Award Year: 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/Effect: The Integrated Technology Services, the department primarily charged with oversight of Saint Martin’s information security program, has experienced turnover in recent years including the unexpected death of a staff member in spring 2023. The staff shortages have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: No Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2023-002
2023-002 – Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P220416, P268K230416, P007A224401, P033A224401, P379T230416 Award Year: 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/Effect: The Integrated Technology Services, the department primarily charged with oversight of Saint Martin’s information security program, has experienced turnover in recent years including the unexpected death of a staff member in spring 2023. The staff shortages have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: No Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2023-001
2023-001 – Return of Title IV Funds – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans Federal Award Number: P063P220416, P268K230416 Award Year: 2022-23 Criteria: When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date (34 CFR 668.22). Per 34 CFR 668.22(c)(4), An institution not required to take attendance must document a student's withdrawal date determined in accordance with 34 CFR 668.22(c) paragraphs (1), (2) & (3) and maintain the documentation as of the date of the institution's determination that the student withdrew as defined in 34 CFR 668.22(l)(3). Condition/context: A sample of 7 students (6 official and 1 unofficial) out of a population of 35 students who were identified by the University as having withdrawn from the institution during the fiscal year was selected for testing. For the 6 official withdrawal selections, the University was unable to provide sufficient evidence to support the withdrawal date used in the calculation of Title IV funds to be returned. Our sample was not, and was not intended to be, statistically valid. Questioned costs: Undetermined Cause/Effect: This occurred because of a lack of implementation of procedures and controls to ensure records used in the calculation of title IV funds to be returned were properly maintained. There was turn over during the fiscal year in the student financial aid department, and the University was also utilizing third parties to assist in some student financial aid functions in the interim. Because procedures and controls were not operating as intended, the University is unable to support the dates used to determine the amount of Title IV funds earned and to be returned. Repeat finding: No Recommendation: We recommend the University further educate and train those involved in the Financial Aid department regarding the return to Title IV requirements. We also recommend that the University review procedures and controls and ensure they are properly designed and implemented to ensure calculations are occurring accurately and timely, and that the support used to complete calculations, including indication of withdrawal date, is properly documented and maintained. Views of responsible officials and planned corrective actions: As of June 2023, the Financial Aid department has a full-time Director, who is responsible for the Return to Title IV (R2T4) determinations. Following the regulations set forth by the Department of Education on R2T4 calculations for schools not required to take attendance, we have reviewed procedures and controls to ensure they are properly designed and implemented to ensure calculations are occurring accurately and timely. Going forward, we will ensure maintenance of proper documentation on students requiring a calculation, including indication of withdrawal date. Potential R2T4 calculations audits are now run multiple times a week, and will continue to be, in order to address timely calculations. The Director plans to continue education in the area of R2T4 calculations to maintain the most accurate and updated information on the topic
Finding 2023-001
2023-001 – Return of Title IV Funds – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans Federal Award Number: P063P220416, P268K230416 Award Year: 2022-23 Criteria: When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date (34 CFR 668.22). Per 34 CFR 668.22(c)(4), An institution not required to take attendance must document a student's withdrawal date determined in accordance with 34 CFR 668.22(c) paragraphs (1), (2) & (3) and maintain the documentation as of the date of the institution's determination that the student withdrew as defined in 34 CFR 668.22(l)(3). Condition/context: A sample of 7 students (6 official and 1 unofficial) out of a population of 35 students who were identified by the University as having withdrawn from the institution during the fiscal year was selected for testing. For the 6 official withdrawal selections, the University was unable to provide sufficient evidence to support the withdrawal date used in the calculation of Title IV funds to be returned. Our sample was not, and was not intended to be, statistically valid. Questioned costs: Undetermined Cause/Effect: This occurred because of a lack of implementation of procedures and controls to ensure records used in the calculation of title IV funds to be returned were properly maintained. There was turn over during the fiscal year in the student financial aid department, and the University was also utilizing third parties to assist in some student financial aid functions in the interim. Because procedures and controls were not operating as intended, the University is unable to support the dates used to determine the amount of Title IV funds earned and to be returned. Repeat finding: No Recommendation: We recommend the University further educate and train those involved in the Financial Aid department regarding the return to Title IV requirements. We also recommend that the University review procedures and controls and ensure they are properly designed and implemented to ensure calculations are occurring accurately and timely, and that the support used to complete calculations, including indication of withdrawal date, is properly documented and maintained. Views of responsible officials and planned corrective actions: As of June 2023, the Financial Aid department has a full-time Director, who is responsible for the Return to Title IV (R2T4) determinations. Following the regulations set forth by the Department of Education on R2T4 calculations for schools not required to take attendance, we have reviewed procedures and controls to ensure they are properly designed and implemented to ensure calculations are occurring accurately and timely. Going forward, we will ensure maintenance of proper documentation on students requiring a calculation, including indication of withdrawal date. Potential R2T4 calculations audits are now run multiple times a week, and will continue to be, in order to address timely calculations. The Director plans to continue education in the area of R2T4 calculations to maintain the most accurate and updated information on the topic
Finding 2023-002
2023-002 – Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P220416, P268K230416, P007A224401, P033A224401, P379T230416 Award Year: 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/Effect: The Integrated Technology Services, the department primarily charged with oversight of Saint Martin’s information security program, has experienced turnover in recent years including the unexpected death of a staff member in spring 2023. The staff shortages have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: No Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2023-002
2023-002 – Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P220416, P268K230416, P007A224401, P033A224401, P379T230416 Award Year: 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/Effect: The Integrated Technology Services, the department primarily charged with oversight of Saint Martin’s information security program, has experienced turnover in recent years including the unexpected death of a staff member in spring 2023. The staff shortages have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: No Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2023-002
2023-002 – Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P220416, P268K230416, P007A224401, P033A224401, P379T230416 Award Year: 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/Effect: The Integrated Technology Services, the department primarily charged with oversight of Saint Martin’s information security program, has experienced turnover in recent years including the unexpected death of a staff member in spring 2023. The staff shortages have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: No Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2023-002
2023-002 – Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P220416, P268K230416, P007A224401, P033A224401, P379T230416 Award Year: 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/Effect: The Integrated Technology Services, the department primarily charged with oversight of Saint Martin’s information security program, has experienced turnover in recent years including the unexpected death of a staff member in spring 2023. The staff shortages have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: No Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2023-002
2023-002 – Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P220416, P268K230416, P007A224401, P033A224401, P379T230416 Award Year: 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/Effect: The Integrated Technology Services, the department primarily charged with oversight of Saint Martin’s information security program, has experienced turnover in recent years including the unexpected death of a staff member in spring 2023. The staff shortages have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: No Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.