Finding Text
Federal agency: U.S. Department of Education
Federal program title: Student Financial Aid Cluster
ALN Number: 84.063, 84.268, 84.007, 84.033
Federal Award Identification Number: P007A221791, P007A231791, P007A241791, P033A221791,
P063P221568, P033A231791, P063P231568, P063Q221568, P063Q231568, P268K231568,
P268K241568
Award Period: July 1, 2023 June 30, 2024
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Criteria or specific requirement:
Internal Control - Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain
effective internal control over the Federal award that provides reasonable assurance that the non-
Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the
terms and conditions of the Federal award. These internal controls should be in compliance with
guidance in Standards for Internal Control in the Federal Government issued by the Comptroller
General of the United States or the Internal Control Integrated Framework, issued by the Committee
of Sponsoring Organizations of the Treadway Commission (COSO).
Compliance - The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to
explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR
314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV
Educational Assistance Programs as financial institutions and subject to the Gramm-Leach-Bliley Act
(16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive
information security program that is written in one or more readily accessible parts. The regulations
require the written information security program to include nine elements for institutions with 5,000 or
more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written
information security program are at 16 CFR 314.4.
Condition: Certain elements of the Colleges information security program were not meeting GLBA
requirements.
Questioned costs: None
Context: The Colleges written information security program did not cover the requirement to provide
for the design and implementation of safeguards to control the risks the institution identifies through its
risk assessment (16 CFR 314.4(c)). At a minimum, the institutions written information security program
must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through
(8).
Cause: The gaps in the Colleges information security program, during the specified audit period,
stemmed from prior deficiencies in documentation and procedural enforcement, which were
exacerbated by staff turnover and resource constraints.
Effect: Information security management may not be optimized and responses delayed without the
written plan.
Repeat Finding: Yes, 2023-002
Recommendation: We recommend the College ensure its written information security program
addresses the required minimum elements as outlined in 16 CFR 314.4.
Views of responsible officials: There is no disagreement with the audit finding.