Finding Text
2024 – 001: Special Tests and Provisions: Gramm-Leach Bliley Act (GLBA)
Federal Agency: U.S. Department of Education
Federal Program Title: Student Financial Assistance
ALN Number: 84.007, 84.033, 84.063, 84.268, 84.379
Pass-Through Agency: N/A
Pass-Through Number(s): N/A
Award Period: July 1, 2023 through June 30, 2024
Type of Finding:
Significant Deficiency in Internal Control over Compliance
Other Matters
Criteria or specific requirement: The Gramm-Leach Bliley Act (GLBA) requires financial institutions to
explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR
314). The regulation states that the college must designate a qualified individual responsible for
overseeing and implementing your information security program and enforcing your information security
program (16 CFR 314.4(a). The entity shall have a Written Information Security Program (WISP) that
outlines the design and implementation of the risk assessment procedures. (16 CFR 314.4(b). At a
minimum, the institution’s written information security program must address the implementation of the
minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by
the institution. In addition, the written security program provides for the institution to regularly test or
otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d).
Per 2 CFR 200.303, nonfederal entities receiving federal awards are required to establish and maintain
internal controls designed to reasonably ensure compliance with federal laws, regulations, and program
compliance requirements.
Condition: The University has a Written information Security Program; however, the University did not
meet the minimum requirements stated in the Gramm-Leach-Bliley Act.
Questioned costs: None.
Context: These GLBA requirements were applicable beginning on June 9, 2023, and there were
multiple elements missing from their Written Information Security Program.
Cause: There was not a formal process in place to review against all the new GLBA requirements to
ensure compliance.
Effect: The University was not in Gramm-Leach-Bliley compliance standards.
Repeat finding: Yes, 2023-002
Recommendation: We recommend that the University review the updated GLBA requirements and
ensure their WISP includes all required elements.
Views of responsible officials: There is no disagreement with the audit finding.