FAC Explorer

Corrective Action Plans

Browse how organizations respond to audit findings

Total CAPs
58,049
In database
Filtered Results
12,448
Matching current filters
Showing Page
309 of 498
25 per page

Filters

Clear
Active filters: Subrecipient Monitoring
Finding 386296 (2023-001)
Significant Deficiency 2023
Fullerton Joint Union High School District
CA
Questioned Costs Allowable Costs / Cost Principles Equipment & Real Property Management § 200.303 § 200.439
Recommendation: We recommend the District design procedures and controls to ensure adequate prior approval of construction related expenditures charged to the Education Stabilization Fund program. Explanation of disagreement with audit findings: There isno disagreement with the audit finding. Distri...
Recommendation: We recommend the District design procedures and controls to ensure adequate prior approval of construction related expenditures charged to the Education Stabilization Fund program. Explanation of disagreement with audit findings: There isno disagreement with the audit finding. District Response: Name of the contact person responsible for corrective action: Ruben Hernandez, Assistant Superintendent, Business Services. Planned completion date for corrective action plan: Immediate.
View Audit 298701 Questioned Costs: $1
Finding 386267 (2023-002)
Significant Deficiency 2023
Hugo Public School District No. I-39, Choctaw County, Ok
OK
Subrecipient Monitoring Internal Control / Segregation of Duties Special Tests & Provisions
Hugo Schools will communicate to and require that construction contracts provide proof of compliance such as payroll documents or other certifying records. Hugo schools administration will ensure that construction companies under contract will abide by all rules mandated by the Davis Bacon Act
Hugo Schools will communicate to and require that construction contracts provide proof of compliance such as payroll documents or other certifying records. Hugo schools administration will ensure that construction companies under contract will abide by all rules mandated by the Davis Bacon Act
View Audit 298674
Finding 386244 (2023-004)
Material Weakness 2023
Lansing Housing Commission
MI
Subrecipient Monitoring HUD Housing Programs Material Weakness § 200.334
Condition: The Commission did have required written policies in place during the year under audit or retained copies of grant agreements once they became the direct recipient of the grants. Planned Corrective Action: Management agrees with the finding as reported. To correct this finding, the Commis...
Condition: The Commission did have required written policies in place during the year under audit or retained copies of grant agreements once they became the direct recipient of the grants. Planned Corrective Action: Management agrees with the finding as reported. To correct this finding, the Commission reviewed its policies and procedures and revised as needed to comply with federal regulations. The policies were presented and approved at the August 2023 board meeting. The Commission has sent revised policies to HUD for their review and approval. Contact person responsible for corrective action: Steve Raiche Anticipated Completion Date: 6/30/2024
View Audit 298666
Finding 386243 (2023-003)
Material Weakness 2023
Lansing Housing Commission
MI
Questioned Costs Matching / Level of Effort / Earmarking Subrecipient Monitoring § 200.306
Condition: The Commission was unable to provide adequate source documentation to support that the match requirement was met. Planned Corrective Action: Management agrees that match requirements for Continuum of Care awards have not been maintained as required by the Uniform Guidance. In July 2023, m...
Condition: The Commission was unable to provide adequate source documentation to support that the match requirement was met. Planned Corrective Action: Management agrees that match requirements for Continuum of Care awards have not been maintained as required by the Uniform Guidance. In July 2023, management was notified by HUD after completion of an on-site monitoring visit that the Commission's claimed matching expenses that were not adequately supported by source documentation. In response, management has placed in service additional controls to ensure the compliance requirements are being monitored and in place for the new program. Contact person responsible for corrective action: Steve Raiche Anticipated Completion Date: 6/30/2024
View Audit 298666 Questioned Costs: $1
Upper Iowa University
IA
Subrecipient Monitoring
UIU has acknowledged the issues presented and will be working with Columbia Advisory group to address them. This contract began January of 2024, UIU commits to having the Executive Director of Information Technology Systems monitor requirements.
UIU has acknowledged the issues presented and will be working with Columbia Advisory group to address them. This contract began January of 2024, UIU commits to having the Executive Director of Information Technology Systems monitor requirements.
View Audit 298663
Finding 386233 (2023-001)
Significant Deficiency 2023
Ecological Society of America, INC
DC
Procurement, Suspension & Debarment Subrecipient Monitoring
Views of Responsible Officials and Corrective Action: Vendors who are paid for grant funded activities will be checked on the SAM website to be sure they are not disbarred from doing business with the Federal government. A copy of the SAM check will be submitted as part of the check request process....
Views of Responsible Officials and Corrective Action: Vendors who are paid for grant funded activities will be checked on the SAM website to be sure they are not disbarred from doing business with the Federal government. A copy of the SAM check will be submitted as part of the check request process. No payments will be approved unless the paperwork includes a SAM verification check. This applies to vendors, subcontractors, hotels and other partners. It does not apply to travel reimbursements to individuals participating in workshops or other grant funded activities under the participant support line item.Program directors will complete the SAM check and submit the proof with each check request. The CFO and Executive Director will not approve or process check requests that do not include the SAM check. This has been added to the ESA Grant Accounting Policy and Procedures document.
View Audit 298659
Finding 386223 (2023-001)
Significant Deficiency 2023
Rockingham Nutrition and Meals on Wheels Program
NH
Subrecipient Monitoring Reporting Significant Deficiency § 200.328 § 200.329
Audit Finding Reference: 2023-001 Improve Controls Over Reporting Planned Corrective Action: 1. Request a list from DHHS of definitions of income types by program in the Quarterly Reports. Ensure that this list provides clarity on how to report income that is not explicitly tied to a single progr...
Audit Finding Reference: 2023-001 Improve Controls Over Reporting Planned Corrective Action: 1. Request a list from DHHS of definitions of income types by program in the Quarterly Reports. Ensure that this list provides clarity on how to report income that is not explicitly tied to a single program. 2. Review AFY23 and AFY24-to-date reports against these criteria (once received), and re-submit any reports which may need to be modified to comply with the guidance. 3. Going forward, the Quarterly Reports will be generated differently. The Client Services Manager will prepare actuals by program for number of clients and units. The Director of Administration will prepare actuals by program for income and expense. The Executive Director will compile the final report, which will not be submitted until both the Client Services Manager and Director of Administration have both checked the reports and electronically signed them. In the absence of specific guidance from DHHS to the contrary, any non-program-specific income will be allocated to programs by share of service units delivered. Planned Implementation Date of Corrective Action: 1. 3/29/24. 2. 6/30/24. 3. 4/15/24. Person Responsible for Corrective Action: Tim Diaz, Executive Director
View Audit 298652
Finding 386211 (2023-001)
Significant Deficiency 2023
Puerto Rico Traffic Safety Commission
PR
Subrecipient Monitoring Reporting
SEE THE AUDIT FINDING FOR CHART/TABLE
SEE THE AUDIT FINDING FOR CHART/TABLE
View Audit 298638
Lebanon Valley College
PA
Student Financial Aid Matching / Level of Effort / Earmarking Subrecipient Monitoring
Finding 2023-002 – Enrollment Reporting Condition: The College did not notify the National Student Loan Data System (NSLDS) in a timely manner for 1 student with a status change out of a sample of 25 tested. Management Response: Management concurs with the finding. Views of Responsible Officials and...
Finding 2023-002 – Enrollment Reporting Condition: The College did not notify the National Student Loan Data System (NSLDS) in a timely manner for 1 student with a status change out of a sample of 25 tested. Management Response: Management concurs with the finding. Views of Responsible Officials and Corrective Action Plan: Lebanon Valley College uses the National Student Clearinghouse (NSC) to transmit enrollment information to the National Student Loan Data System (NSLDS). The College has verified that the student status changes were correctly submitted to the NSC, however the campus and program level information was not properly reflected in NSLDS and did not appear on the error report. This appears to be connected to the outages experienced by NSLDS. The College’s Financial Aid Office, along with the Registrar’s office will begin verifying the number of students on the NSLDS student roster each semester. The roster number will be compared to the number of students expected to be on the roster per Financial Aid data. Any discrepancies in this number will be researched and the discovery of any that did not reach NSLDS will be corrected in conjunction with the NSC and NSLDS. Anticipate Completion Date: April 1, 2024 Name of Responsible Person: Christopher Hanlon, Director of Financial Aid chanlon@lvc.edu
View Audit 298636
Finding 386208 (2023-001)
Significant Deficiency 2023
Lincoln County Board of Education
GA
Subrecipient Monitoring Reporting Special Tests & Provisions § 200.303
FA 2023-001 Strengthen Controls over Wage Rate Requirements Compliance Requirement: Special Tests and Provisions Internal Control Impact: Significant Deficiency Compliance Impact: Nonmaterial Noncompliance Federal Awarding Agency: U.S. Department of Education Pass-Through Entity: Georgia Departmen...
FA 2023-001 Strengthen Controls over Wage Rate Requirements Compliance Requirement: Special Tests and Provisions Internal Control Impact: Significant Deficiency Compliance Impact: Nonmaterial Noncompliance Federal Awarding Agency: U.S. Department of Education Pass-Through Entity: Georgia Department of Education Assistance Listing Number and Title: COVID-19 - 84.425U - American Rescue Plan Elementary and Secondary School Emergency Relief Fund Federal Award Number: S425U210012 (Year: 2021) Questioned Costs: None Identified Prior Year Finding: Not Applicable Description: A review of construction-related expenditures charged to the Elementary and Secondary School Emergency Relief Fund programs revealed that the School District's internal control procedures were not operating to ensure that Wage Rage Requirements were followed properly. Corrective Action Plans: The School District will review and update the current procedures to ensure that the Wage Rate requirements are met. Estimated Completion Date: June 30, 2024 Contact Person: Dr. Samuel P. Light, Superintendent Telephone: (706) 359-3742 Email: slight@lcboe.us
View Audit 298629
Municipality of Culebra
PR
Subrecipient Monitoring Reporting Internal Control / Segregation of Duties
The quarterly reports mentioned in the findings were prepared and submitted to the Puerto Rico Housing Department for review and evaluation.
The quarterly reports mentioned in the findings were prepared and submitted to the Puerto Rico Housing Department for review and evaluation.
View Audit 298592
Finding 386151 (2023-002)
Significant Deficiency 2023
Bayaud Enterprises, Inc.
CO
Subrecipient Monitoring Allowable Costs / Cost Principles Eligibility § 200.333
We will review processes uon termination to ensure all necessary documentation is maintained.
We will review processes uon termination to ensure all necessary documentation is maintained.
View Audit 298562
Finding 386135 (2023-002)
Significant Deficiency 2023
Delta Research and Educational Foundation
DC
Questioned Costs Allowable Costs / Cost Principles Subrecipient Monitoring § 200.309 § 200.461
Views of Responsible Officials: Grant funds received pursuant to a period of performance or an approved drawdown or reimbursement request will be expended as specified in the request. When Federal grants are funded in advance, rather than on a reimbursement basis, the Foundation will minimize the ti...
Views of Responsible Officials: Grant funds received pursuant to a period of performance or an approved drawdown or reimbursement request will be expended as specified in the request. When Federal grants are funded in advance, rather than on a reimbursement basis, the Foundation will minimize the time elapsing between the receipt of Federal grant funds and disbursement of such funds for their approved purpose. We will implement procedures to ensure that expenses are recorded or accrued properly.
View Audit 298546 Questioned Costs: $1
Finding 386118 (2023-001)
Material Weakness 2023
Hydro-Eakly Independent School District #11
OK
Procurement, Suspension & Debarment Subrecipient Monitoring Material Weakness
The School Superintendent will review all projects funded by Federal funds to determine if any projects are considered construction projects. The Superintendent will require all such contracts to include prevailing wage clauses to ensure that federal wage rates and fringe benefits, are met, as requ...
The School Superintendent will review all projects funded by Federal funds to determine if any projects are considered construction projects. The Superintendent will require all such contracts to include prevailing wage clauses to ensure that federal wage rates and fringe benefits, are met, as required by the Davis-Bacon Act. The Superintendent will review weekly payroll reports provided by the contractor to ensure adherence to the contract clauses. The Superintendent will survey the job site weekly to ensure that required work site notices are posted.
View Audit 298524
Finding 386110 (2023-002)
Significant Deficiency 2023
Des Moines Independent Community School District
IA
Subrecipient Monitoring Cash Management Reporting
Corrective Action: After the Food and Nutrition Director reviews the monthly claims, she will send an email noting her approval, before the claim is submitted to the state. This email approval will be attached to the journal entry support that is posted in the financial system when recording the rev...
Corrective Action: After the Food and Nutrition Director reviews the monthly claims, she will send an email noting her approval, before the claim is submitted to the state. This email approval will be attached to the journal entry support that is posted in the financial system when recording the revenue. Contact Person: Amanda Miller, Director of Food & Nutrition Services and Logistics / Ray Serrano - Accountant Anticipated Completion Date: June 30, 2024
View Audit 298501
Finding 386108 (2023-003)
Material Weakness 2023
Madison County, Nebraska
NE
Questioned Costs Subrecipient Monitoring Allowable Costs / Cost Principles § 200.332
The County is aware of the above finding and has adjusted our procedures related to disbursing federal funds to subrecipients. We have changed to a cost reimbursement basis for disbursing the federal funds to subrecipients. We currently receive supporting documentation prior to payment.
The County is aware of the above finding and has adjusted our procedures related to disbursing federal funds to subrecipients. We have changed to a cost reimbursement basis for disbursing the federal funds to subrecipients. We currently receive supporting documentation prior to payment.
View Audit 298495 Questioned Costs: $1
Finding 386104 (2023-001)
Significant Deficiency 2023
Northwest Mississippi Community College
MS
Student Financial Aid Subrecipient Monitoring Internal Control / Segregation of Duties
Name Connie Joseph Title Controller Phone (662) 562-3292 Email cjoseph@northwestms.edu Finding 2023-001: U.S. Department of Education-Student Financial Assistance Management is in the process of developing a written information security program. Anticipated Completion Date: Prior to June ...
Name Connie Joseph Title Controller Phone (662) 562-3292 Email cjoseph@northwestms.edu Finding 2023-001: U.S. Department of Education-Student Financial Assistance Management is in the process of developing a written information security program. Anticipated Completion Date: Prior to June 30, 2024
View Audit 298492
Finding 386101 (2023-002)
Significant Deficiency 2023
Wellspace Health
CA
Subrecipient Monitoring Internal Control / Segregation of Duties
Corrective Action Plan: The Organization will strengthen procedures to ensure discounts for sliding fee is applied consistently and accurately. Immediately, the Organization will conduct monthly application audits. An audit of 25 sliding fee application forms completed in the month prior will be exa...
Corrective Action Plan: The Organization will strengthen procedures to ensure discounts for sliding fee is applied consistently and accurately. Immediately, the Organization will conduct monthly application audits. An audit of 25 sliding fee application forms completed in the month prior will be examined for accuracy, along with their supporting data. All information from these applications will be cross‐verified in NextGen. The results from the sliding fee monthly audits will be monitored and reported quarterly at the Quality Assurance and Quality Improvement meetings. This has continued to occur monthly. We will be implementing a workflow adjustment stating all Slide applications will be noted in the system with a 30day expire date. This will ensure the staff will be able to notify the patient they would need to begin the process over and present the supporting documentation. Once the documentation is received the timeframe will extend to the one year. Furthermore, the Organization will continue the practice of conducting skills assessments at the start of the year and once more in July. These assessments are crucial as they help pinpoint staff members who might benefit from refresher training. Moreover, a meeting has been scheduled to finalize the days and times for virtual sliding fee application training. This training, aimed at all staff who handle a sliding fee form, will be spread out over four weeks, with one session per week lasting an hour. Additionally, the Organization will introduce a sliding fee training video to the new employee orientation. After completing their NextGen training, staff will receive this training video via email. Furthermore, this video will also be sent to all health center leadership to be utilized at the health center level. Estimated completion date: September 30, 2024 Contact person: Shannon Potter, Deputy Chief of Business Service
View Audit 298487
Finding 386098 (2023-001)
Significant Deficiency 2023
Granite United Way
NH
Reporting Subrecipient Monitoring
Granite United Way will establish additional policies and procedures to ensure that all Federal awards are identified and reported accurately on the SEFA and that subrecipient amounts are reconciled with the expenditures in the general ledger. The Chief Impact Officer will now prepare the initial dr...
Granite United Way will establish additional policies and procedures to ensure that all Federal awards are identified and reported accurately on the SEFA and that subrecipient amounts are reconciled with the expenditures in the general ledger. The Chief Impact Officer will now prepare the initial draft of the SEFA, including federal agency assistance listing numbers, pass-through entities, program names and subrecipient information. This draft will be reviewed by the Contracts Specialist for accuracy and comparison with the existing contracts for accurate information. The Chief Financial Officer will review the draft SEFA and compile the general ledger transactions, which will have already been reconciled with the invoice submissions to the state of NH. Cover sheets for check requests will differentiate between Subawards/Subrecipients and Procurement Contracts/Contractors when designated to the line item names Subcontracts/Agreements to ensure that procurement contracts/contractor expenses are not misclassified on the SEFA as Subawards/Subrecipient expenses.
View Audit 298472
Finding 386097 (2023-001)
Significant Deficiency 2023
City of Portsmouth
NH
Procurement, Suspension & Debarment Subrecipient Monitoring Reporting
The City of Portsmouth, New Hampshire respectfully submits the following corrective action plan for the year ended June 30, 2023. Audit period: July 1, 2022 – June 30, 2023 The finding from the schedule of findings and questioned costs is discussed below. The finding is numbered consistently with th...
The City of Portsmouth, New Hampshire respectfully submits the following corrective action plan for the year ended June 30, 2023. Audit period: July 1, 2022 – June 30, 2023 The finding from the schedule of findings and questioned costs is discussed below. The finding is numbered consistently with the number assigned in the schedule. FINDING—FEDERAL AWARD PROGRAMS AUDITS DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT 2023-001 Community Development Block Grant - Assistance Listing Number 14.218 Recommendation: We recommend the City enhance internal controls and procedures to comply with all FFATA reporting requirements. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Some FFATA reports were not entered timely into FSRS in FY 23. This was due to an incomplete understanding about the requirement as well as no FFATA reporting requests by the federal granting agency (HUD) to the City. All required FFATA reports were entered into the FSRS after the deadlines, and City staff responsible for FFATA reporting have completed additional training on the requirements. We do not anticipate untimely reports to the FSRS in the future. Name(s) of the contact person(s) responsible for corrective action: Elise Annunziata, Community Development Director Planned completion date for corrective action plan: All required FFATA reports were already entered into the FSRS, and City staff responsible for FFATA reporting have completed additional training on the requirements. We do not anticipate untimely reports to the FSRS in the future.
View Audit 298471
Finding 386093 (2023-003)
Significant Deficiency 2023
Municipality of Rio Grande
PR
Subrecipient Monitoring Reporting Significant Deficiency
As an internal control, the accountant in charge of the program will keep monthly reports of the expenditures to expedite the collection of information and submit timely and complete reports. The documentation of the reports will be physically filed and digitally saved in the accounting files. Impl...
As an internal control, the accountant in charge of the program will keep monthly reports of the expenditures to expedite the collection of information and submit timely and complete reports. The documentation of the reports will be physically filed and digitally saved in the accounting files. Implementation Date: Fiscal Year 2023-2024 Responsible Person: Mr. Ángel L. Reyes Matos, Finance Director
View Audit 298462
Finding 386084 (2023-001)
Significant Deficiency 2023
Miracosta Community College District
CA
Special Tests & Provisions Student Financial Aid Subrecipient Monitoring
During the year-end audit testing phase, the Financial Aid office was notified in August 2023 of the deficiencies noted on this finding. The Financial Aid office immediately took action to implement the recommendations in August 2023. The District established effective controls in August 2023 to en...
During the year-end audit testing phase, the Financial Aid office was notified in August 2023 of the deficiencies noted on this finding. The Financial Aid office immediately took action to implement the recommendations in August 2023. The District established effective controls in August 2023 to ensure the return of funds occurs within 45 days from the date the institution determines the student withdrew from all classes and that the withdrawal determination is performed within the required timeframe. Additionally, the District implemented procedures in August 2023 to ensure that the academic calendar loaded in the financial aid software is accurate and based on the most up to date information. The District implemented procedures in August 2023 to ensure that the correct student status is utilized in the calculation of Return to Title IV.
View Audit 298451
Finding 386083 (2023-001)
Significant Deficiency 2023
Local Area of the Workforce Development in the Northwest
PR
Matching / Level of Effort / Earmarking Subrecipient Monitoring Period of Performance
The Corrective Action Plan in a continuous basis will be as follow: 1.Employment and Educational Fairs for the Youth Program are being developed to recruit out of school Youth and promote work experiences activity. 2. The Promotion and Dissemination staff began an aggressive campaign in different ad...
The Corrective Action Plan in a continuous basis will be as follow: 1.Employment and Educational Fairs for the Youth Program are being developed to recruit out of school Youth and promote work experiences activity. 2. The Promotion and Dissemination staff began an aggressive campaign in different advertising media to recruit out of school youth. 3. The program area has already planned for the month of May and June 2024 to carry out work experience activities coordinated with private companies and municipalities. It is planned for young people out of school and in school. 4. Both the program staff and the fiscal agent will be continuously monitoring the expense and obligations to the work experience activities to comply with the 20% expense. 5.The youth committee attached to the Northwest Local Board will comprise a representative from finance, budget and planning staff (youth program and executive) who will measure the achievement of the 20% benchmark on a quarterly basis. 6.This committee will take appropriate actions in order to verify the correctness of the expenditures according to the 20% expense requirement mentioned above. 7.This committee will provide to the Executive Director, recommendations to the operational areas in order to comply to the goal of expenditures required under sections 20CFR 681,590,681,600(a)(3) and681.600 of WIOA. 8.A report will be issue to the operational levels in accordance to the recommendations adopted by the Executive Director. 9. The public policy for the implementation of the work experience element of the youth program gave the opportunity to increase 2% of youth services. 10.The Northwest Local Area has established strategies for the dissemination of services for the youth program. This is done through the integration of social networks (lnstagram and Facebook), radio, signs, press, television and official internet page. 11.The youth area, together with the promotion unit, established an itinerary of visits to the municipalities that comprise our area in order to carry out campaigns(Work Fairs)to guide our services and recruitment. 12.We will continue to join efforts through mass campaigns with an effective strategic plan to outreach the youth program. LEAD PERSONS ACCOUNTABLE FOR ACTION ITEM COMPLETION Executive Director, Area Executive, MIS Director and Finance Director
View Audit 298447
Finding 386065 (2023-002)
Significant Deficiency 2023
Rice Lake Housing Authority
WI
Subrecipient Monitoring HUD Housing Programs Internal Control / Segregation of Duties
2023-002 - Insufficient Collateral Corrective Action Planned: The Authority will closely monitor all deposits to make sure that the amount of funds on deposit are protected by federal deposit insurance, corporate surety bond, or collateral. Completion Date: June 30, 2024
2023-002 - Insufficient Collateral Corrective Action Planned: The Authority will closely monitor all deposits to make sure that the amount of funds on deposit are protected by federal deposit insurance, corporate surety bond, or collateral. Completion Date: June 30, 2024
View Audit 298424
Finding 386058 (2023-002)
Significant Deficiency 2023
Ripon College
WI
Special Tests & Provisions Subrecipient Monitoring Significant Deficiency
Finding 2023-002 Sept. 27, 2023 Criteria: The College is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including a written information security program p...
Finding 2023-002 Sept. 27, 2023 Criteria: The College is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including a written information security program policy that addresses the six required minimum safeguard elements identified within 16 Code of Federal Regulations (CFR) 314.4 (b). Statement of Condition: A formal written policy was not completed and documented in fiscal 2023 which would have addressed the required written policy noted in 16 CFR 314.4 (b). Corrective Action Plan: • The College agrees and concurs with the audit finding. • The College is working with a cybersecurity partner, OculusIT (OculusIT.com) to assist us with GLBA compliance and cybersecurity hardening of the college’s IT infrastructure. OculusIT will assist us in preparing the required documentation that addresses risk assessment of all three areas noted in the finding. Many elements of GLBA compliance have already been put in place as elaborated below. • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). Vince Vargiya is the College’s designated qualified individual. • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). OculusIT will undertake a GLBA risk assessment covering the following areas of the College: o Senior Management o IT Security o Admissions o Registrar Office o Financial Aid Office o HR and Payroll o Student Financial Services o Library Work on completing pre-audit questionnaires for each area is in progress. • Regarding a written information security policy that addresses the minimum safeguard requirements, see below. • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: o Implement and periodically review access controls. We regularly review access controls to systems containing financial data. Our formal policy will document this. o Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. We maintain a server inventory, noting which sites contain financial information. Our formal policy will document this. o Encrypt customer information on the institution’s system and when it’s in transit. Our server data is encypted using standard SQL TDE encryption. All data transmitted to off campus partners uses the sftp protocol. Our formal policy will document this. o Assess apps developed by the institution. The College’s enterprise apps are commercially sourced, updated using vendor supplied processes per annual support contracts, and not developed in-house. Our formal policy will document this. o Implement multi-factor authentication for anyone accessing customer information on the institution’s system. All users who access Jenzabar (SIS, Financials), PowerFaids (Financial Aid) must use DUO MFA. RaisersEdge (Advancement/Donor Management) employs text or email MFA. All email accounts are secured with google 2 step authentication. Our formal policy will document this. o Dispose of customer information securely. When server hardware is decommissioned, the data drives are physically smashed. When leased endpoint systems are returned to the leasing company, their hard drives are wiped using standard software. Our formal policy will document this. o Anticipate and evaluate changes to the information system or network. We meet regularly with OculusIT to discuss changes to the network. Our endpoints are monitored for malware via a managed detection and response system. Our servers and network switches are monitored 24/7 by the Oculus SOC, and unusual events are flagged and presented to us for analysis. Our formal policy will document this. o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. We have implemented a SIEM server which monitors server and network access and activity and is monitored by the OculusIT SOC. Our formal policy will document this. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). We have implemented a SIEM server which monitors server and network access and activity and is monitored by the OculusIT SOC. We receive weekly reports on any server vulnerabilities. We actively work to remediate identified vulnerabilities. We have implemented annual penetration testing, and have completed testing for 2023. We have remediated identified penetration issues. Our formal policy will document this. • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). We require semi annual security awareness training and monthly phishing testing through KnowBe4. Our formal policy will document this. • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). We require providers to submit SOC1 or HECVAT documentation. Our formal policy will document this. • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). We work with OculusIT to follow up on results of testing and risk assessments. For example, we rescan our network to follow up on the results of pen testing. We meet with the Oculus SOC team to discuss server vulnerabilities uncovered on a monthly basis. Our formal policy will document this process. Names of Contact Persons Responsible for Corrective Action Plan: Gary Rodman (Senior Director of Information Technology), rodmang@ripon.edu, 920-748-8343 Vince Vargiya (Vice President Information Security | CISO, OculusIT) vince_varigiya@oculusit.com 844-462-8587 ext. 193 Anticipated Completion Date: Implementation of this plan began in March 2023, focusing on infrastructure hardening. Formal written polices will be put in place no later than June 30, 2024.
View Audit 298423
« 1 307 308 310 311 498 »