FAC Explorer

Finding 1179032 (2025-001)

Material Weakness Repeat Finding
Requirement
N
Questioned Costs
-
Year
2025
Accepted
2026-03-12
Audit: 391461
Organization: Vermont State Colleges (VT)
Auditor: WITHUMSMITH+BROWN PC

AI Summary

  • Core Issue: Colleges lack a formal Written Information Security Plan (WISP), which is required for safeguarding sensitive data.
  • Impacted Requirements: Non-compliance with federal regulations (2 CFR 200.303, 16 CFR 314) regarding information security programs.
  • Recommended Follow-up: Develop and implement a comprehensive WISP aligned with federal standards by fiscal year 2026.

Finding Text

Finding number: 2025-001 Federal agency: U.S. Department of Education Programs: Student Financial Assistance (SFA) Cluster Assistance Listing Number: 84.007, 84.033, 84.268, 84.063 Award year: 2025 Criteria The Code of Federal Regulations, consisting of 2 CFR 200.303, 16 CFR 314.3(a), and 16 CFR 314, requires that financial institutions, including institutions participating in Title IV programs, develop, implement, and maintain a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the sensitivity of the information being protected aligned with federal information security standards. Condition During our testing of the SFA Cluster, we requested the College’s Written Information Security Plan (WISP). The Colleges were unable to provide a formal, documented WISP. The Colleges' general IT policies and procedures provided did not fully meet WISP requirements. Cause The Colleges have not developed or formalized a standalone WISP. Effect Without a formalized WISP, the Colleges are at a heighted risk of inadequate safeguarding of sensitive data, inconsistent application of security practices and procedures, and an increased likelihood of unauthorized access, data loss or misuse. Questioned Costs N/A Perspective Due to its nature, this deficiency is systemic, affecting the entire SFA Cluster population and related programs. Identification as a Repeat Finding, if applicable N/A Recommendation The Colleges should develop, approve, and implement a Written Information Security Plan (WISP) aligned with 16 CFR Part 314 requirements and tailored to the systems and data associated with the SFA Cluster. View of Responsible Officials The Colleges agree with the finding. This issue was the result of information security policies that did not reflect actual current practices. Such current practices were updated over the last two years in response to industry standards, insurance requirements, and Gramm Leach Billey Act requirements, which are believed to meet the requirements of these regulations. However, because they were not documented formally in a comprehensive policy form, they could not be adequately provided during the audit. In early Fall 2025, the Colleges hired a new Chief Information Security Officer (CISO), who has begun overhauling the information security policies to reflect current practices. The CISO has also created a preliminary draft of a WISP that reflects the Colleges current policies and procedures. This WISP is expected to be completed and implemented during fiscal year 2026, pending board review and approval.

Corrective Action Plan

Finding number: 2025-001 Federal agency: U.S. Department of Education Programs: Student Financial Assistance (SFA) Cluster Assistance Listing Number: 84.007, 84.033, 84.268, 84.063 Award year: 2025 Corrective Action Plan The Colleges hired a new Chief Information Security Officer (CISO), who has begun overhauling the information security policies to reflect current practices. The CISO has also created a preliminary draft of a WISP that reflects the Colleges current policies and procedures. This WISP is expected to be completed and implemented during fiscal year 2026, pending board review and approval. Timeline for Implementation of Corrective Action Plan Immediately. Contact Person Sharron Scott, CFO

Categories

Student Financial Aid

Other Findings in this Audit

  • 1179029 2025-001
    Material Weakness Repeat
  • 1179030 2025-001
    Material Weakness Repeat
  • 1179031 2025-001
    Material Weakness Repeat

Programs in Audit

ALN Program Name Expenditures
84.268 FEDERAL DIRECT STUDENT LOANS $26.37M
84.063 FEDERAL PELL GRANT PROGRAM $17.59M
84.042 TRIO STUDENT SUPPORT SERVICES $1.72M
93.575 CHILD CARE AND DEVELOPMENT BLOCK GRANT $1.60M
16.753 CONGRESSIONALLY RECOMMENDED AWARDS $1.55M
84.033 FEDERAL WORK-STUDY PROGRAM $1.53M
93.493 CONGRESSIONAL DIRECTIVES $1.41M
84.116 FUND FOR THE IMPROVEMENT OF POSTSECONDARY EDUCATION $1.30M
84.007 FEDERAL SUPPLEMENTAL EDUCATIONAL OPPORTUNITY GRANTS $1.26M
84.047 TRIO UPWARD BOUND $1.10M
11.611 MANUFACTURING EXTENSION PARTNERSHIP $1.05M
21.027 CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS $1.01M
59.037 SMALL BUSINESS DEVELOPMENT CENTERS $682,621
47.083 INTEGRATIVE ACTIVITIES $435,975
94.006 AMERICORPS STATE AND NATIONAL 94.006 $403,681
11.307 ECONOMIC ADJUSTMENT ASSISTANCE $337,086
84.217 TRIO MCNAIR POST-BACCALAUREATE ACHIEVEMENT $313,087
90.601 NORTHERN BORDER REGIONAL DEVELOPMENT $274,972
84.334 GAINING EARLY AWARENESS AND READINESS FOR UNDERGRADUATE PROGRAMS $251,529
93.859 BIOMEDICAL RESEARCH AND RESEARCH TRAINING $249,337
84.031 HIGHER EDUCATION INSTITUTIONAL AID $210,005
84.184 SCHOOL SAFELY NATIONAL ACTIVITIES $207,929
17.289 COMMUNITY PROJECT FUNDING/CONGRESSIONALLY DIRECTED SPENDING $205,220
17.280 WIOA DISLOCATED WORKER NATIONAL RESERVE DEMONSTRATION GRANTS $195,758
93.959 BLOCK GRANTS FOR PREVENTION AND TREATMENT OF SUBSTANCE ABUSE $191,951
93.434 EVERY STUDENT SUCCEEDS ACT/PRESCHOOL DEVELOPMENT GRANTS $150,000
84.048 CAREER AND TECHNICAL EDUCATION -- BASIC GRANTS TO STATES $150,000
21.031 STATE SMALL BUSINESS CREDIT INITIATIVE TECHNICAL ASSISTANCE GRANT PROGRAM $83,393
11.020 CLUSTER GRANTS $77,299
59.059 CONGRESSIONAL GRANTS $75,393
20.205 HIGHWAY PLANNING AND CONSTRUCTION $57,621
93.084 PREVENTION OF DISEASE, DISABILITY, AND DEATH BY INFECTIOUS DISEASES $50,980
10.855 DISTANCE LEARNING AND TELEMEDICINE LOANS AND GRANTS $45,950
84.181 SPECIAL EDUCATION-GRANTS FOR INFANTS AND FAMILIES $36,470
93.958 BLOCK GRANTS FOR COMMUNITY MENTAL HEALTH SERVICES $29,287
10.326 CAPACITY BUILDING FOR NON-LAND GRANT COLLEGES OF AGRICULTURE (NLGCA) $27,727
93.243 SUBSTANCE ABUSE AND MENTAL HEALTH SERVICES PROJECTS OF REGIONAL AND NATIONAL SIGNIFICANCE $25,356
93.855 ALLERGY AND INFECTIOUS DISEASES RESEARCH $21,203
15.966 HISTORIC PRESERVATION FUND GRANTS-IN-AID FOR COMPETITIVE GRANTS $20,016
47.084 NSF TECHNOLOGY, INNOVATION, AND PARTNERSHIPS $14,195
47.074 BIOLOGICAL SCIENCES $13,842
43.008 OFFICE OF STEM ENGAGEMENT (OSTEM) $10,781
93.391 ACTIVITIES TO SUPPORT STATE, TRIBAL, LOCAL AND TERRITORIAL (STLT) HEALTH DEPARTMENT RESPONSE TO PUBLIC HEALTH OR HEALTHCARE CRISES $4,371
10.241 INSTITUTE OF RURAL PARTNERSHIPS (GP 778) $1,620