FAC Explorer

Finding 1200660 (2025-002)

Material Weakness Repeat Finding
Requirement
N
Questioned Costs
-
Year
2025
Accepted
2026-03-30
Audit: 395694
Organization: Payne Theological Seminary (OH)
Auditor: CLIFTONLARSONALLEN LLP

AI Summary

  • Core Issue: The Written Information Security Program (WISP) is missing key elements required by the Gramm-Leach-Bliley Act (GLBA).
  • Impacted Requirements: GLBA mandates a comprehensive security program with specific elements for institutions, which were not fully addressed.
  • Recommended Follow-Up: The Seminary should review and update their WISP to include all GLBA requirements to protect student personal information.

Finding Text

2025-002: Gramm-Leach Bliley Act (GLBA) Federal Agency: Department of Education Federal Program: Student Financial Assistance Cluster ALN Numbers: 84.268 – Federal Direct Loan Program Award Period: July 1, 2024 through June 30, 2025 Type of Finding: Significant Deficiency in Internal Control over Compliance and Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, we noted several steps missing from the Written Information Security Program (WISP). Questioned Costs: None Context: There are elements missing from the Seminary’s WISP that are part of the GLBA requirements. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: Yes – See 2024-003 Recommendation: We recommend that the Seminary review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.

Corrective Action Plan

Student Financial Aid Cluster – CFDA No. 84.268 Recommendation: We recommend that the Seminary review the updated GLBA requirements and ensure their WISP includes all required elements. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: The Seminary will continue to review and update our current WISP to comply with all requirements and updated standards. Name(s) of the contact person(s) responsible for corrective action: Raymond Ingram Planned completion date for corrective action plan: June 2026

Categories

No categories assigned yet.

Other Findings in this Audit

  • 1200659 2025-001
    Material Weakness Repeat

Programs in Audit

ALN Program Name Expenditures
84.268 FEDERAL DIRECT STUDENT LOANS $1.62M