FAC Explorer

Finding 1214907 (2025-001)

Material Weakness Repeat Finding
Requirement
E
Questioned Costs
-
Year
2025
Accepted
2026-05-19
Audit: 401665
Organization: Herkimer County Community College (NY)
Auditor: D'ARCANGELO & CO LLP

AI Summary

  • Core Issue: The College lacks a designated person to manage its information security program and does not have a written program in place.
  • Impacted Requirements: This situation puts the College out of compliance with the GLBA, which is essential for the Student Financial Assistance program.
  • Recommended Follow-Up: Assign an individual to oversee the information security program and create a written plan for Board approval.

Finding Text

Condition: It was noted that the College has not designated an individual for implementing and monitoring of the College’s information security program and no written information security program is available. Criteria: The GLBA requires the College to explain its information sharing practices to its customers and to safeguard sensitive information. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. Institutions are required to be in compliance with the revised or final requirements no later than June 9, 2023. Cause: Unknown Effect or Potential Effect: Currently, the College is not in compliance with the GLBA, a required Program Eligibility compliance for the Student Financial Assistance program. Known Questioned Costs: None noted Context: Adherence to the GLBA is part of program eligibility requirements for the Student Financial Assistance Program. Repeat Finding: No Recommendation: We recommend that the College designate an individual that would take responsibility for implementing and monitoring of the College’s information security program including drafting the Information Security Program for approval by the Board of Trustees.

Corrective Action Plan

Views of Responsible Officials: The college verbally assigned GLBA responsibilities to an individual in a meeting several years ago regarding GLBA which was attended by all departments affected by its regulations. However, that assignment was not formalized in writing. This individual separated employment with the college in January 2026. As a result, the college is currently in the process of transitioning its information technology (IT) department under the auspices of the State University of New York Information Technology Exchange Center (SUNY ITEC) where the college has access to a wide range of resources including experts in GLBA. With this transition, SUNY ITEC will appoint the Chief Information Officer / IT Director as the qualified individual (QI) for GLBA compliance. SUNY ITEC’s Security Services will support the Director; informing and advising them of relevant IT Security Program and Security Operations activities and compliance, and the Director will be the signing QI.

Categories

Subrecipient Monitoring Eligibility

Other Findings in this Audit

  • 1214903 2025-001
    Material Weakness Repeat
  • 1214904 2025-001
    Material Weakness Repeat
  • 1214905 2025-001
    Material Weakness Repeat
  • 1214906 2025-001
    Material Weakness Repeat

Programs in Audit

ALN Program Name Expenditures
84.063 FEDERAL PELL GRANT PROGRAM $4.59M
84.268 FEDERAL DIRECT STUDENT LOANS $3.75M
84.048 CAREER AND TECHNICAL EDUCATION -- BASIC GRANTS TO STATES $198,687
84.007 FEDERAL SUPPLEMENTAL EDUCATIONAL OPPORTUNITY GRANTS $116,263
84.033 FEDERAL WORK-STUDY PROGRAM $60,730
84.038 FEDERAL PERKINS LOAN PROGRAM_FEDERAL CAPITAL CONTRIBUTIONS $4,746