Corrective Action Plan
For the Year Ended May 31, 2023
Finding 2023-002
Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268;
United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and significant de...
Corrective Action Plan
For the Year Ended May 31, 2023
Finding 2023-002
Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268;
United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance
for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including
performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal
Regulations (CFR) 314.4 (b).
Statement of Condition: The Institute performed a risk assessment however the safeguards for the risks identified
were not formally documented through a policy. A formal policy was not reviewed in fiscal year 2023 which would
have addressed required areas noted in 16 CFR 314.4 (b).
Questioned Costs: Questioned costs could not be determined.
Context: A policy and documentation linking the safeguards to the risk assessment was not formally written. The
internal controls over compliance at the Institute did not identify the noncompliance. However, the Institute
performed risk assessments and has appropriate safeguards for each area identified within 16 CFR 314.4(b).
Cause: The Institute did not have internal controls in place to identify the need for the policy documenting the
safeguards required by the Gramm-Leach-Bliley Act.
Effect: The Institute has no verifiable evidence of the policy and the related safeguards for each risk identified.
Recommendation: We recommend management review 16 CFR 314.4 (b) to create a policy that addresses the
three required areas, which are (1) employee training and management; (2) information systems, including network
and software design, as well as information processing, storage, transmission and disposal; and (3) detecting,
preventing and responding to attacks, intrusions, or other systems failures. This policy should be formalized and
reviewed annually. We recommend that the Institute document the approval and acceptance of the policy. In
addition, we recommend management review internal control processes for special tests and provisions on an
annual basis.
Status: In progress, anticipated completion September 2024
Corrective Action: Management agrees with the finding. We are currently developing a comprehensive cybersecurity
policy to address 16 CFR 314.4 (b), which will be formalized, approved by Senior Staff, and reviewed
annually. We are now conducting annual penetration tests, the most recent in December 2023, to address internal
control processes. We have contracted with a planning team at CDW to determine best practices and perform
training. We have begun providing a quarterly GLBA Compliance update to our board, with an annual
comprehensive GLBA review to the board.
Contact
Matt Ogden
Director of Technology
414.847.3223
mattogden@miad.edu
Submitted Feb 23, 2024