FAC Explorer

Finding 1154796 (2024-001)

Material Weakness Repeat Finding
Requirement
L
Questioned Costs
-
Year
2024
Accepted
2025-09-23
Audit: 367160
Organization: Samuel Merritt University (CA)
Auditor: Hood & Strong LLP

AI Summary

  • Core Issue: The University lacks a documented formal risk assessment for IT controls related to the Gramm-Leach-Bliley Act (GLBA), which is essential for protecting student financial aid information.
  • Impacted Requirements: GLBA safeguards require monitoring of access levels to information systems, which the University has not adequately implemented.
  • Recommended Follow-Up: Document a formal risk assessment and establish a process to regularly review user access levels with management to ensure compliance and security.

Finding Text

2024-001 – Gramm-Leach-Bliley Act Assistance Listing Number: Various – U.S. Department of Education – Student Financial Assistance Cluster Criteria Under the University’s Program Participation Agreement and the Student Aid Internet Gateway Agreement, institutions must have the Gramm-Leach-Bliley Act (GLBA) safeguards in place, GLBA requirements are related to protecting student financial aid information, specifically information provided in support of the administration of Title IV federal student financial aid. GLBA safeguards include a documented formal risk assessment of specific areas and controls including those over monitoring of appropriate access levels to information systems. Condition The University has maintained a formal documented risk assessment to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information and assess the sufficiency of any safeguards in place to control these risks. In addition, controls over access to the financial aid information system lacked monitoring procedures to ensure appropriate access levels were maintained as users changed roles at the University. Context During our testing of the University’s IT system, we inquired if the University has performed a risk assessment that addresses the three required areas noted above. Although there appear to policies and procedures in place, we were unable to obtain written formal documentation relating to a risk assessment as required. As it relates to access controls the University does not periodically review users’ access with management to ensure appropriate access is maintained by employees who change roles within the University. Cause The University has not documented a formal risk assessment of key IT controls relating to the security of information and review of monitoring procedures related to access controls. Effect Information may be at risk of unauthorized disclosure, misuse, alteration, destruction or compromise of such information. Questioned Costs There were no questioned costs related to this finding. Recommendation We recommend that the University document a formal risk assessment, along with recommendations for remediation of any open items and/or deficiencies, including implementing a process to review access levels with management for active employees. Responsible Personnel Marcus D Walton Deputy Chief Operating Officer & CIO

Corrective Action Plan

Planned Corrective Action The University acknowledges the finding related to incomplete documentation of the formal risk assessment and the lack of monitoring over access levels to the financial aid system. We are currently developing a comprehensive, documented GLBA risk assessment that aligns with federal requirements, including the identification of internal and external risks, evaluation of current safeguards, and implementation of appropriate remediation measures. Additionally, the University is implementing a formalized review process whereby system access roles are reviewed quarterly in collaboration with department managers to ensure user access is consistent with current job responsibilities. This will include a standardized user access review form and documented management sign-off. Implementation Date -Risk Assessment Documentation: December 31, 2025 -Access Review Procedure Implementation: December 31, 2025 Responsible Personnel Marcus D Walton Deputy Chief Operating Officer & CIO

Categories

Subrecipient Monitoring Student Financial Aid

Other Findings in this Audit

  • 1154797 2024-002
    Material Weakness Repeat
  • 1154798 2024-003
    Material Weakness Repeat

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $71.23M
93.364 Nursing Student Loans - Outstanding As of January 1, 2024 $3.25M
93.342 Health Professions Student Loans, Including Primary Care Loans/loans for Disadvantaged Students - Outstanding As of January 1, 2024 $1.72M
93.364 Nursing Student Loans - Issued During the Year $1.13M
93.178 Nursing Workforce Diversity $722,110
93.732 Mental and Behavioral Health Education and Training Grants $639,022
84.063 Federal Pell Grant Program $611,393
84.033 Federal Work-Study Program $491,088
84.007 Federal Supplemental Educational Opportunity Grants $160,109
93.342 Health Professions Student Loans, Including Primary Care Loans/loans for Disadvantaged Students - Issued During the Year $147,021
84.116 Fund for the Improvement of Postsecondary Education $75,246
84.038 Federal Perkins Loan Program - Outstanding As of January 1, 2024 $70,132
16.582 Crime Victim Assistance/discretionary Grants $49,507