FAC Explorer

Finding 1174984 (2025-002)

Material Weakness Repeat Finding
Requirement
N
Questioned Costs
-
Year
2025
Accepted
2026-02-23
Audit: 388595
Organization: Central Michigan University (MI)
Auditor: REHMANN ROBSON LLC

AI Summary

  • Core Issue: The University is not fully compliant with the Gramm Leach Bliley Act, lacking key safeguards for protecting sensitive customer data.
  • Impacted Requirements: Missing policies on multi-factor authentication, data inventory, encryption, and system change evaluations increase risks to sensitive information.
  • Recommended Follow-Up: Implement a review process to ensure all compliance policies are documented and verified by a second individual.

Finding Text

2025-002 Special Tests and Provisions - Gramm Leach Bliley Act Missing Compliance Requirements Finding Type. Immaterial Noncompliance/Significant Deficiency in Internal Control over Compliance (Special Tests and Provisions). Program. Student Financial Assistance Cluster; U.S. Department of Education; Assistance Listing Numbers 84.007, 84.033, 84.063, 84.268 and 84.379; Award Numbers P007A241985, P033A241985, P063P220222, P063P230222, P063P240222, P268K240222, P268K250222, and P379T250222. Criteria. The Federal Trade Commission (FTC) states that the Gramm Leach Bliley Act "requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data." Condition. The Gramm Leach Bliley Policy, in effect at time of audit, failed to explicitly state how the University addressed the implementation of multi-factor authentication for anyone accessing customer information on the institution's system, conducting a periodic inventory of data that notes where it is collected, stored, or transmitted, encrypting customer information on the institution's system and when it's in transit, and anticipating and evaluating changes to the information system or network. Cause. The University did not have a review process in place for ensuring all required safeguard policies were written in the information security program in accordance with the Gramm Leach Bliley Act. Effect. As a result of this condition, the College isn't meeting the safeguard requirements necessary to comply with the FTC. In addition, the lack of safeguard controls creates an increased risk to highly sensitive data that is possessed by the University. Questioned Costs. No costs were required to be questioned as a result of this finding inasmuch as our testing did not reveal any unallowed costs. Recommendation. We recommend that the University implement procedures to ensure that all Gramm Leach Bliley Policies are met and verified by a second individual. View of Responsible Officials. Management agrees with this finding and has prepared a Corrective Action Plan.

Corrective Action Plan

Finding Number: 2025-002 – Special Tests and Provisions – Gramm Leach Bliley Act Missing Compliance Requirements Auditor Description of Condition and Effect: The Gramm Leach Bliley Policy, in effect at time of audit, failed to explicitly state how the university addressed the implementation of multi-factor authentication for anyone accessing customer information on the institution's system, conducting a periodic inventory of data that notes where it is collected, stored, or transmitted, encrypting customer information on the institution's system and when it's in transit, and anticipating and evaluating changes to the information system or network. The University did not have a review process in place for ensuring all required safeguard were written in the information security program in accordance with the Gramm Leach Bliley Act. Auditor Recommendation: We recommend that the University implement procedures to ensure that all Gramm Leach Bliley policies are met and verified by a second individual. Views of Responsible Officials and Planned Corrective Action: Beginning in fiscal year 2026, Office of Information Technology (OIT) implemented an updated policy/procedure aligned with the Gramm Leach Bliley Act (GLBA) Information Security Program requirements. The updates include: implementation of multi-factor authentication (MFA) for anyone accessing customer information on the institution's system; conducting a periodic inventory to identify where customer information is collected, stored, or transmitted; encryption of customer information both on institutional systems and during transmission; procedures to anticipate and evaluate changes to the information system or network that may impact data security. Although not fully documented, the following measures were already implemented and operational at the time of audit: Multi-Factor Authentication (MFA): MFA has been in place for all systems that access customer financial information, in accordance with FTC Safeguards Rule updates effective June 2023; Encryption: Both data at rest and in transit have been encrypted using industry-standard protocols, consistent with GLBA requirements; and Data Inventory: A periodic inventory of systems and data flows has been conducted, identifying where customer information is collected, stored, and transmitted. This is part of our broader risk assessment and information security program. Internal Audit reviewed the policy and associated processes against the applicable regulation (16 CFR 314) and concluded that we were in compliance based on the regulatory guidance available. It was not until the release of the final 2025 Compliance Supplement in late November 2025 that clarification was provided indication that all eight minimum safeguards must be explicitly documented within the written information security program. Additionally, the University has established a formal review process to ensure all GLBA safeguard policies are met. Key personnel and leadership within OIT will conduct regular compliance reviews to verify adherence and promote operational efficiency. Contact person responsible for corrective action: Jerry Todd, Chief Information Security Officer, Office of Information Technology Information Security Anticipated Completion Date: 12/1/2025

Categories

Special Tests & Provisions Significant Deficiency Equipment & Real Property Management Internal Control / Segregation of Duties

Other Findings in this Audit

  • 1174967 2025-001
    Material Weakness Repeat
  • 1174968 2025-001
    Material Weakness Repeat
  • 1174969 2025-001
    Material Weakness Repeat
  • 1174970 2025-001
    Material Weakness Repeat
  • 1174971 2025-001
    Material Weakness Repeat
  • 1174972 2025-001
    Material Weakness Repeat
  • 1174973 2025-002
    Material Weakness Repeat
  • 1174974 2025-002
    Material Weakness Repeat
  • 1174975 2025-002
    Material Weakness Repeat
  • 1174976 2025-002
    Material Weakness Repeat
  • 1174977 2025-002
    Material Weakness Repeat
  • 1174978 2025-002
    Material Weakness Repeat
  • 1174979 2025-002
    Material Weakness Repeat
  • 1174980 2025-002
    Material Weakness Repeat
  • 1174981 2025-002
    Material Weakness Repeat
  • 1174982 2025-002
    Material Weakness Repeat
  • 1174983 2025-002
    Material Weakness Repeat

Programs in Audit

ALN Program Name Expenditures
84.268 FEDERAL DIRECT STUDENT LOANS $27.93M
84.063 FEDERAL PELL GRANT PROGRAM $22.15M
84.033 FEDERAL WORK-STUDY PROGRAM $960,299
84.007 FEDERAL SUPPLEMENTAL EDUCATIONAL OPPORTUNITY GRANTS $407,970
93.173 RESEARCH RELATED TO DEAFNESS AND COMMUNICATION DISORDERS $277,606
84.326 SPECIAL EDUCATION TECHNICAL ASSISTANCE AND DISSEMINATION TO IMPROVE SERVICES AND RESULTS FOR CHILDREN WITH DISABILITIES $234,067
84.217 TRIO MCNAIR POST-BACCALAUREATE ACHIEVEMENT $205,960
93.323 EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) $180,162
84.044 TRIO TALENT SEARCH $177,648
11.300 INVESTMENTS FOR PUBLIC WORKS AND ECONOMIC DEVELOPMENT FACILITIES $157,957
84.047 TRIO UPWARD BOUND $151,026
93.853 EXTRAMURAL RESEARCH PROGRAMS IN THE NEUROSCIENCES AND NEUROLOGICAL DISORDERS $139,583
15.608 FISH AND AQUATIC CONSERVATION - AQUATIC INVASIVE SPECIES $131,370
93.493 CONGRESSIONAL DIRECTIVES $127,344
93.286 DISCOVERY AND APPLIED RESEARCH FOR TECHNOLOGICAL INNOVATIONS TO IMPROVE HUMAN HEALTH $119,366
81.049 OFFICE OF SCIENCE FINANCIAL ASSISTANCE PROGRAM $112,664
15.662 GREAT LAKES RESTORATION $112,655
93.658 FOSTER CARE TITLE IV-E $90,831
93.991 PREVENTIVE HEALTH AND HEALTH SERVICES BLOCK GRANT $89,849
21.027 CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS $87,924
93.242 MENTAL HEALTH RESEARCH GRANTS $80,338
11.429 MARINE SANCTUARY PROGRAM $78,693
89.003 NATIONAL HISTORICAL PUBLICATIONS AND RECORDS GRANTS $76,228
93.243 SUBSTANCE ABUSE AND MENTAL HEALTH SERVICES PROJECTS OF REGIONAL AND NATIONAL SIGNIFICANCE $74,664
84.027 SPECIAL EDUCATION GRANTS TO STATES $73,418
12.910 RESEARCH AND TECHNOLOGY DEVELOPMENT $61,730
47.070 COMPUTER AND INFORMATION SCIENCE AND ENGINEERING $59,307
84.334 GAINING EARLY AWARENESS AND READINESS FOR UNDERGRADUATE PROGRAMS $56,087
47.050 GEOSCIENCES $55,668
11.609 MEASUREMENT AND ENGINEERING RESEARCH AND STANDARDS $55,566
93.211 TELEHEALTH PROGRAMS $43,141
93.110 MATERNAL AND CHILD HEALTH FEDERAL CONSOLIDATED PROGRAMS $40,273
15.657 ENDANGERED SPECIES RECOVERY IMPLEMENTATION $39,689
12.630 BASIC, APPLIED, AND ADVANCED RESEARCH IN SCIENCE AND ENGINEERING $39,103
47.078 POLAR PROGRAMS $36,738
81.089 FOSSIL ENERGY RESEARCH AND DEVELOPMENT $34,465
93.136 INJURY PREVENTION AND CONTROL RESEARCH AND STATE AND COMMUNITY BASED PROGRAMS $34,440
47.079 OFFICE OF INTERNATIONAL SCIENCE AND ENGINEERING $21,663
47.049 MATHEMATICAL AND PHYSICAL SCIENCES $21,625
93.043 SPECIAL PROGRAMS FOR THE AGING, TITLE III, PART D, DISEASE PREVENTION AND HEALTH PROMOTION SERVICES $21,510
10.558 CHILD AND ADULT CARE FOOD PROGRAM $21,092
93.837 CARDIOVASCULAR DISEASES RESEARCH $18,548
66.461 REGIONAL WETLAND PROGRAM DEVELOPMENT GRANTS $16,953
10.855 DISTANCE LEARNING AND TELEMEDICINE LOANS AND GRANTS $16,796
66.708 POLLUTION PREVENTION GRANTS PROGRAM $13,929
11.032 STATE DIGITAL EQUITY PLANNING AND CAPACITY GRANT $13,000
11.432 NATIONAL OCEANIC AND ATMOSPHERIC ADMINISTRATION (NOAA) COOPERATIVE INSTITUTES $12,135
84.379 TEACHER EDUCATION ASSISTANCE FOR COLLEGE AND HIGHER EDUCATION GRANTS (TEACH GRANTS) $10,373
93.788 OPIOID STR $9,561
43.001 SCIENCE $9,444
93.855 ALLERGY AND INFECTIOUS DISEASES RESEARCH $9,365
93.859 BIOMEDICAL RESEARCH AND RESEARCH TRAINING $8,824
66.469 GEOGRAPHIC PROGRAMS - GREAT LAKES RESTORATION INITIATIVE $8,284
15.945 COOPERATIVE RESEARCH AND TRAINING PROGRAMS – RESOURCES OF THE NATIONAL PARK SYSTEM $7,430
93.310 TRANS-NIH RESEARCH SUPPORT $5,744
45.312 NATIONAL LEADERSHIP GRANTS $5,288
11.417 SEA GRANT SUPPORT $4,990
93.997 ASSISTED OUTPATIENT TREATMENT $4,951
10.310 AGRICULTURE AND FOOD RESEARCH INITIATIVE (AFRI) $4,631
43.008 OFFICE OF STEM ENGAGEMENT (OSTEM) $4,000
11.459 WEATHER AND AIR QUALITY RESEARCH $3,355
93.395 CANCER TREATMENT RESEARCH $2,413
93.865 CHILD HEALTH AND HUMAN DEVELOPMENT EXTRAMURAL RESEARCH $2,028
12.420 MILITARY MEDICAL RESEARCH AND DEVELOPMENT $2,000
93.847 DIABETES, DIGESTIVE, AND KIDNEY DISEASES EXTRAMURAL RESEARCH $1,400
93.399 CANCER CONTROL $1,000
47.041 ENGINEERING $855
47.076 STEM EDUCATION (FORMERLY EDUCATION AND HUMAN RESOURCES) $-203
47.075 SOCIAL, BEHAVIORAL, AND ECONOMIC SCIENCES $-326
97.036 DISASTER GRANTS - PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) $-8,534