Finding Text
2022-006 (2020-004) – Internal Controls and Title IV Administration—Material Weakness Federal Agency: Federal Program: Assistance Listing Nos: Department of Education Title: Student Financial Assistance Cluster 84.007 – Federal Supplemental Education Opportunity Grants (SEOG) 84.033 – Federal Work Study Program (FWS) 84.063 – Federal Pell Grant Program (Pell) 84.268 – Federal Direct Student Loans (FDSL) Federal Award Numbers: P033A208469(SEOG) P033A208469(FWS) P063P204871(PELL) P268K234871(FDSL) Award Period: July 1, 2021 to June 30, 2022 Name of Applicable Pass-Through Entity- Not applicable Condition: A report was provided to auditors that addressed certain aspects of GLBA based on the prior year comment but was incomplete in certain other areas. During our audit procedures, it was noted that the College did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Management’s progress: Management has made some/minimal progress. Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Questioned Costs: None. Cause: The College did not perform an IT risk assessment tailored specifically to the organization, identify risks, nor address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The students’ personal information could be vulnerable. Recommendation: We recommend that the College designate an individual to oversee the information security function, engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials and planned corrective actions: The College is implementing a new version of Jenzabar. Updated configuration will include updated security features. The planned completion date for the upgrades to the processes and systems is December 31, 2024. The responsible party is the Information Technology.