Finding 1182481 (2025-004)

Material Weakness Repeat Finding

Requirement

Questioned Costs

Year

2025

Accepted

2026-03-24

Audit: 393884

Organization: Eastern Oregon University (OR)

Auditor: CLIFTONLARSONALLEN LLP

AI Summary

Core Issue: The University is not fully compliant with the GLBA Safeguards Rule, specifically regarding the monitoring of user access controls.
Impacted Requirements: Compliance with the GLBA requires institutions to implement and periodically evaluate safeguards for protecting student financial aid information.
Recommended Follow-Up: The University should establish a process for regularly reviewing user access controls to enhance data security and ensure compliance.

Finding Text

Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.268, 84.063, 84.007, 84.033, 84.379 Federal Award Identification Number and Year: P268K252058-2025, P063P242058-2025, P007A253479-2025, P033A253479-2025, P379T262058-2025 Award Period: July 1, 2024 to June 30, 2025 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Compliance, Other Matter Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) and its implementing regulations require financial institutions to protect the security, confidentiality, and integrity of customer information (16 CFR Part 314). Title IV-eligible institutions participating in the Federal Student Financial Assistance Programs are considered financial institutions subject to GLBA requirements and agree to comply with these requirements through their Program Participation Agreement with the U.S. Department of Education. Institutions are required to safeguard student financial aid information, including implementing administrative, technical, and physical safeguards, and periodically evaluating the effectiveness of those safeguards, including user access controls (16 CFR 314.3 and 314.4). Condition: CLA identified that the University does not meet all the compliance requirements of the GLBA safeguards rule. Questioned costs: None reported. Context: During our testing, we noted that the University did not demonstrate compliance with certain requirements of the GLBA Safeguards Rule related to ongoing monitoring of system access. Cause: The University does not have a process in place to periodically review and evaluate user access controls. Effect: The absence of periodic review of user access controls increases the risk of unauthorized access to sensitive student financial aid information, which could compromise the security andconfidentiality of protected data. Repeat Finding: No. Recommendation: We recommend the University review the GLBA Safeguards Rule and implement appropriate processes and controls to ensure compliance with all applicable provisions. View of Responsible Official: There is no disagreement with the audit finding.

Corrective Action Plan

Recommendation: We recommend the University review the GLBA Safeguards Rule and implement appropriate processes and controls to ensure compliance with all applicable provisions. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: The IT Department, in conjunction with Human Resources and individual directors and department heads, will institute an annual system inventory of data classification and owner, ensuring job roles and position descriptions are mapped to access profiles. The CIO will review the current classification process for assigning role-based access and the related IT ticketing process for access to ensure existence of documented approvals for provisioning and role changes through a defined access request and approval workflow. IT will also work with HR to establish onboarding/position change/separation controls and timelines triggered by HR provisioning with same-day termination (within 24-hours) upon termination and role change reviews with transfers. IT will also enforce multi-factor authentication (MFA) administrative access where feasible. The relevant Policy and Procedure Manuals will be updated to define access privileges and approval processes, and staff will be trained annually and with onboarding. Name(s) of the contact person(s) responsible for corrective action: Russ Fagan, Chief Information Officer Planned completion date for corrective action plan: March 31, 2026

Other Findings in this Audit

1182465 2025-001

Material Weakness Repeat
1182466 2025-001

Material Weakness Repeat
1182467 2025-001

Material Weakness Repeat
1182468 2025-001

Material Weakness Repeat
1182469 2025-001

Material Weakness Repeat
1182470 2025-002

Material Weakness Repeat
1182471 2025-002

Material Weakness Repeat
1182472 2025-003

Material Weakness Repeat
1182473 2025-003

Material Weakness Repeat
1182474 2025-003

Material Weakness Repeat
1182475 2025-003

Material Weakness Repeat
1182476 2025-003

Material Weakness Repeat
1182477 2025-004

Material Weakness Repeat
1182478 2025-004

Material Weakness Repeat
1182479 2025-004

Material Weakness Repeat
1182480 2025-004

Material Weakness Repeat
1182482 2025-005

Material Weakness Repeat
1182483 2025-005

Material Weakness Repeat

Programs in Audit

ALN	Program Name	Expenditures
84.268	FEDERAL DIRECT STUDENT LOANS	$12.24M
84.063	FEDERAL PELL GRANT PROGRAM	$5.55M
93.600	HEAD START	$2.53M
21.027	CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS	$910,871
84.116	FUND FOR THE IMPROVEMENT OF POSTSECONDARY EDUCATION	$474,604
84.031	HIGHER EDUCATION INSTITUTIONAL AID	$364,773
84.033	FEDERAL WORK-STUDY PROGRAM	$242,639
17.600	MINE HEALTH AND SAFETY GRANTS	$166,581
84.007	FEDERAL SUPPLEMENTAL EDUCATIONAL OPPORTUNITY GRANTS	$124,185
10.558	CHILD AND ADULT CARE FOOD PROGRAM	$113,142
84.424	STUDENT SUPPORT AND ACADEMIC ENRICHMENT PROGRAM	$88,104
59.037	SMALL BUSINESS DEVELOPMENT CENTERS	$33,200
84.379	TEACHER EDUCATION ASSISTANCE FOR COLLEGE AND HIGHER EDUCATION GRANTS (TEACH GRANTS)	$21,531
47.074	BIOLOGICAL SCIENCES	$8,667
84.425	EDUCATION STABILIZATION FUND	$3,000