Wells College (the College) respectfully submits the following corrective action plan for the year ended June 30, 2023.
Name and address of independent public accounting firm:
Bonadio & Co., LLP
432 North Franklin Street #60
Syracuse, New York 13204
Audit period:
July 1, 2022 - June 30, 2023
The findings from the 2023 schedule of findings and questioned costs are discussed below. The findings are numbered
consistently with the numbers assigned in the schedule.
FINDINGS AND QUESTIONED COSTS - MAJOR FEDERAL AWARD PROGRAMS AUDIT
Finding 2023-001 - Student Financial Assistance Cluster
Compliance Requirement N. Gramm-Leach-Bliley Act-Student Information Security
Recommendation: Our auditors recommend that we conduct a formal risk assessment and update our written
information security program (WISP) to ensure the seven required elements are addressed. As part of this process,
Information Technology (IT) policies should be updated to align with our current IT environment and be formally
approved and implemented throughout the College.
Action Taken: Wells College is partnering with Grey Castle Security to do a Risk Assessment and Penetration test.
This will be completed in February. Additionally, Grey Castle has helped to redraft our Incident Response Plan. This
has been completed, and training on this plan is scheduled for later in January, with Tabletop simulations occurring
with the Wells College Emergency Planning Team and IT in February. Over the next couple of months, IT will be
refreshing its policies in collaboration with the Wells College Technology Advisory Group (TAG), a committee
representing all areas of the college. Once TAG has approved policies, they will go to the Cabinet for approval. Multiple
policies will be merged to create the WISP as a self-contained document, rather than the multiple policies in place.
The Chief Financial Officer, Robert Cree, is responsible for implementing this plan by June 30, 2024, and can be
reached at (315) 364-3408 or rcree@wells.edu .