FAC Explorer

Finding 10980 (2023-002)

Material Weakness
Requirement
N
Questioned Costs
-
Year
2023
Accepted
2024-01-31
Audit: 14816
Organization: Western Oregon University (OR)
Auditor: Eide Bailly LLP

AI Summary

  • Core Issue: The University has a material weakness in its internal controls regarding the Gramm-Leach-Bliley Act (GLBA) compliance due to an outdated information security program.
  • Impacted Requirements: The University failed to meet the nine required elements of a comprehensive information security program as mandated by 16 CFR Part 314.
  • Recommended Follow-Up: The University should update and document its information security program to ensure compliance with GLBA requirements and establish a system for regular reviews.

Finding Text

U.S. Department of Education Student Financial Assistance Cluster Federal Financial Assistance Listing Number(s): 84.063, 84.007, 84.268, 84.033, 84.038, 84.379 Compliance Requirement: Special Tests & Provisions – Gramm‐Leach‐Bliley Act (GLBA) – Student Information Security Type of Finding: Material Weakness in Internal Control Criteria: Under 16 CFR Part 314, Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require that the written information security program to include nine elements for institutions with 5,000 or more customers. Condition: During our testing over GLBA compliance, we noted that the University had not updated their information security program since 2018 and that it was missing aspects of the required nine elements. Cause: The University has not updated their written information security program since 2018. Effect: The University did not have a system in place to ensure the required elements under GLBA were included in the comprehensive information security program and that the program was reviewed periodically. Questioned Costs: None reported. Context/Sampling: Sampling was not used. Repeat Finding from Prior Year(s): No Recommendation: The University should have a system in place to ensure that their comprehensive security program includes the required aspects under GLBA and that they are in documented in writing. Views of Responsible Officials: Management agrees with the finding.

Corrective Action Plan

Finding 2023-002 Federal Agency Name: U.S. Department of Education Federal Financial Assistance Listing: 84.063, 84.007, 84.268, 84.033, 84.038, 84.379 Program Name: Student Financial Assistance Cluster Compliance Requirement: Special Tests & Provisions – Gramm-Leach-Bliley Act (GLBA) – Student Information Security Type of Finding: Material Weakness in Internal Controls Finding Summary: During testing over GLBA compliance, it was noted that the University had not updated the information security program and was missing aspects of the required nine elements. Responsible Individuals: Kella Helyer, Director of Financial Aid (DFA) and Michael Ellis, Assistant Director of University Computing Solutions (AD UCS) Corrective Action Plan: Management agrees with this finding. See the GLBA Draft Corrective Action Plan table below. Anticipated Completion Date: See the attached GLBA Draft Corrective Action Plan table below: GLBA documentation 314.4 Reference What WOU will do Complete by Date Who will do it Completion Date Document full status of 314.4 4/1/24 AD UCS a Complete b Update our CIS18 controls - aka InfoSec Program 7/1/24 AD UCS b.2 Risk assessment for on-prem servers with FinAid* data 4/1/24 AD UCS, Lead Windows Admin, Warehouse Programmer c.1 Document current processes and access controls 4/1/24 AD UCS, DFA c.2 Document current information, including Business Office 12/20/23 Financial Aid Accountant 12/13/23 c.3 Encrypte NetApp volumes, and ensure encryption on DB links 8/1/24 AD UCS, Lead Windows Admin, Warehouse Programmer c.4 Assess warehouse & BannerRPT 7/1/24 AD UCS, Warehouse Programmer, Operating Systems/Security Analyst c.5 Complete c.6 Review PowerFAIDS electronic files for purging Review paper files for purging Have Business Office review files for purging 8/1/24 DFA c.7 Audit FinAid data access upon addition to Warehouse 8/1/24 Warehouse Programmer and/or Operating Systems/Security Analyst c.8 Add access logs to WOU central logging system 8/1/24 AD UCS, Web & Banner Programmer d.2.i Annual pentest by Campus Guard 2/29/24 AD UCS e Complete f Document all 3rd party providers who interact with FinAid data. Audit yearly 8/1/24 DFA, AD UCS g Complete h Complete i Verbal report given in 2023. Anticipated written report to Board on 7/1/24 7/1/24 AD UCS

Categories

Special Tests & Provisions Material Weakness Internal Control / Segregation of Duties

Other Findings in this Audit

  • 10974 2023-001
    Material Weakness
  • 10975 2023-001
    Material Weakness
  • 10976 2023-001
    Material Weakness
  • 10977 2023-001
    Material Weakness
  • 10978 2023-001
    Material Weakness
  • 10979 2023-001
    Material Weakness
  • 10981 2023-002
    Material Weakness
  • 10982 2023-002
    Material Weakness
  • 10983 2023-002
    Material Weakness
  • 10984 2023-002
    Material Weakness
  • 10985 2023-002
    Material Weakness
  • 587416 2023-001
    Material Weakness
  • 587417 2023-001
    Material Weakness
  • 587418 2023-001
    Material Weakness
  • 587419 2023-001
    Material Weakness
  • 587420 2023-001
    Material Weakness
  • 587421 2023-001
    Material Weakness
  • 587422 2023-002
    Material Weakness
  • 587423 2023-002
    Material Weakness
  • 587424 2023-002
    Material Weakness
  • 587425 2023-002
    Material Weakness
  • 587426 2023-002
    Material Weakness
  • 587427 2023-002
    Material Weakness

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $14.78M
84.063 Federal Pell Grant Program $6.58M
84.038 Archived $1.51M
84.042 Trio Student Support Services $674,034
84.160 Training Interpreters for Individuals Who Are Deaf and Individuals Who Are Deaf-Blind $575,491
84.129 Rehabilitation Long-Term Training $386,935
93.434 Every Student Succeeds Act/preschool Development Grants $346,987
84.365 English Language Acquisition State Grants $322,418
84.047 Trio Upward Bound $305,965
84.007 Federal Supplemental Educational Opportunity Grants $289,265
84.033 Federal Work Study Program $253,023
84.425 Education Stabilization Fund $248,951
84.325 Special Education-Personnel Development to Improve Services and Results for Children with Disabilities $215,386
84.325 Special Education - Personnel Development to Improve Services and Results for Children with Disabilities $174,447
16.710 Public Safety Partnership and Community Policing Grants $140,450
84.326 Special Education Technical Assistance with Dissemination to Improve Services and Results for Children with Disabilities $118,174
84.379 Teacher Education Assistance for College and Higher Education Grants $117,211
21.027 Coronavirus State and Local Fiscal Recovery Funds $98,679
16.608 Tribal Justice Systems $94,106
16.575 Crime Victim Assistance $82,726
84.126 Rehabilitation Services Vocational Rehabilitation Grants to States $50,400
93.575 Child Care and Development Block Grant $33,267
97.036 Disaster Grants - Public Assistance $28,079
93.323 Epidemiology and Laboratory Capacity for Infectious Diseases $24,692
10.558 Child and Adult Care Food Program $15,525
84.326 Special Education Technical Assistance and Dissemination to Improve Services and Results for Children with Disabilities $14,333
47.076 Stem Education $11,826
84.367 Supporting Effective Instruction State Grants $7,985
45.164 Promotion of the Humanities Public Programs $4,550
45.310 Grants to States $949