Finding 10322 (2023-001)

2023 – 001 Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program) Federal Award Identification Number and Year: N/A; 2022-2023 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Period: July 1, 2022 – June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance; Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Code of Federal Regulations 2 CFR 200.303 requires the District to establish and maintain effective internal controls over Federal awards. Condition: During our testing of the District’s information technology, we noted the District did not maintain a comprehensive written security program that included the minimum required elements. Questioned costs: None Context: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Cause: The District has continued to make progress in updating the District’s written security program to become in compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat finding: No Recommendation: We recommend the District work to update the written security program to ensure compliance with all the standards. Views of responsible officials: The College meets or exceeds the system and data security requirements as stipulated in the GLBA and best industry practice and standards for IT system security. There are no identified weaknesses or concerns for the security of College data. Formal documentation of procedures and process are in place and being formalized by the Institution and the College will be in compliance with the requirement for formal written standards going forward.