Finding Text
2024 – 003
Federal Agency: Department of Education
Federal Program Name: Student Financial Assistance Cluster
Assistance Listing Numbers: 84.063, 84.007, and 84.033
Federal Award Identification Number and Year: P268K231902, P063P231902, P007A232974, grants were awarded within the 2022-23 and 2023-24 award years.
Award Period: September 1, 2023, through August 31, 2024
Type of Finding: Significant Deficiency in Internal Control over Compliance and Other Matters
Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.
Questioned costs: None
Context: During our audit procedures, it was noted that the College did not fully comply with the GLBA guidelines such as no formal review of access controls, no evidence of periodic inventory of data, no process to evaluate network changes, and no modification of the written information security program (WISP) based on a penetration test or cyber incidents.
Cause: The College policies and procedures did not comply with the Gramm-Leach-Bliley Act (GLBA) guidelines as noted above.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend reviewing and implementing GLBA guidelines in order to explain the College’s information-sharing practices to their customers and to safeguard sensitive data, including student financial information.
Views of Responsible Officials:
Management agrees with the finding and has developed a plan to correct the finding.