FAC Explorer

Finding 1173186 (2024-005)

Material Weakness Repeat Finding
Requirement
N
Questioned Costs
-
Year
2024
Accepted
2026-02-10
Audit: 386639
Organization: College of Micronesia - Fsm (FM)
Auditor: ERNST & YOUNG LLP

AI Summary

  • Core Issue: The College lacks a qualified individual and a formal program to oversee compliance with the Gramm-Leach-Bliley Act (GLBA) regarding student information security.
  • Impacted Requirements: Noncompliance with GLBA requirements puts the College at risk for mishandling sensitive student financial aid information.
  • Recommended Follow-Up: Develop a comprehensive GLBA information security program, designate a qualified overseer, provide staff training, and conduct regular reviews to ensure compliance.

Finding Text

Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster - 84.063 Federal Pell Grant Federal Award No.: Title IV HEA Program OPE ID 01034300 Area: Special Tests and Provisions: Gramm-Leach-Bliley Act Student Information Security Questioned Costs: $--- Criteria: The Gramm-Leach-Bliley Act (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistrance Programs as financial institutions and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions should comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). Condition: The College does not have a qualified individual to oversee the GLBA information security program. Additionally, the Company does not have an existing GLBA information security program in place. Cause: The non-compliance is due to a lack of awareness and understanding of the GLBA requirements and the absence of a formalized process for establishing and maintaining an information security program Effect: The College is in noncompliance with applicable GLBA requirements. Recommendation: The College should develop and implement a comprehensive GLBA information security program that includes risk assessments, safeguards, and regular testing and monitoring of the effectiveness of these safeguards. A qualified individual with the necessary expertise and authority to oversee the GLBA information security program should also be designated. Provide training to relevant staff on GLBA requirements and the importance of information security. Conduct periodic reviews and updates of the information security program to ensure ongoing compliance with GLBA requirements. Views of responsible officials The College acknowledges the finding. Refer to their corrective action plan.

Corrective Action Plan

Finding 2024-05 - Special Tests and Provisions: Gramm-Leach-Bliley Act-Student Information Security Recommendation The College should develop and implement a comprehensive GLBA information security program that includes risk assessments, safeguards, and regular testing and monitoring of the effectiveness of these safeguards. A qualified individual with the necessary expertise and authority to oversee the GLBA information security program should also be designated. Provide training to relevant staff on GLBA requirements and the importance of information security. Conduct periodic reviews and updates of the information security program to ensure ongoing compliance with GLBA requirements. Response The college acknowledges the finding and will strengthen its student information security by implementing the following: 1. Designate a qualified Information Security Officer from within the IT Division or recruit externally if internal capacity is limited. 2) Develop a GLBA compliance program that includes: • Annual risk assessments • Implementation of administrative, technical, and physical safeguards • Staff training on data privacy • Annual testing of the security protocols Contact: Vice President for Institutional Effectiveness & Quality Assurance (VPIEQA) Completion Date: September 30, 2025

Categories

Student Financial Aid Subrecipient Monitoring Special Tests & Provisions

Other Findings in this Audit

  • 1173184 2024-003
    Material Weakness Repeat
  • 1173185 2024-004
    Material Weakness Repeat
  • 1173187 2024-006
    Material Weakness Repeat
  • 1173188 2024-007
    Material Weakness Repeat

Programs in Audit

ALN Program Name Expenditures
84.063 FEDERAL PELL GRANT PROGRAM $9.89M
84.425 EDUCATION STABILIZATION FUND $2.83M
10.511 SMITH-LEVER EXTENSION FUNDING $932,221
15.875 ECONOMIC, SOCIAL, AND POLITICAL DEVELOPMENT OF THE TERRITORIES $878,978
84.047 TRIO UPWARD BOUND $674,250
11.028 CONNECTING MINORITY COMMUNITIES PILOT PROGRAM $538,601
10.203 PAYMENTS TO AGRICULTURAL EXPERIMENT STATIONS UNDER THE HATCH ACT $452,084
84.044 TRIO TALENT SEARCH $401,721
93.236 GRANTS TO STATES TO SUPPORT ORAL HEALTH WORKFORCE ACTIVITIES $374,944
11.307 ECONOMIC ADJUSTMENT ASSISTANCE $255,649
10.308 RESIDENT INSTRUCTION, AGRICULTURE, AND FOOD SCIENCE FACILITIES AND EQUIPMENT GRANTS $93,039
10.514 EXPANDED FOOD AND NUTRITION EDUCATION PROGRAM $57,525
47.076 STEM EDUCATION (FORMERLY EDUCATION AND HUMAN RESOURCES) $30,149