Finding Text
Federal Agency: Department of Education
Federal Program Title: Student Financial Assistance Cluster
Federal Assistance Listing Number: Various
Federal Award Identification Number and Year: N/A
Pass-Through Agency: N/A
Pass-Through Number: N/A
Award Period: July 1, 2022 – June 30, 2023
Type of Finding:
Significant Deficiency in Internal Control Over Compliance
Other Matters
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.
Questioned costs: None
Context: During our audit procedures, it was noted that the College did not prepare a formal risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks.
Cause: The University did not have processes in place to document the GLBA requirements.
Effect: The student personal information could potentially be vulnerable.
Repeat finding: No
Recommendation: We recommend the College consider hiring a firm to review their documentation and ensure that there are documented safeguards for identified risks and the required documentation and practices are implemented. We also recommend reviewing the changes in the Gramm-Leach-Bliley Act regulations that were required to be implemented as of June 9, 2023.
Views of responsible officials: There is no disagreement with the audit finding.