FAC Explorer

Finding 371241 (2023-002)

Significant Deficiency
Requirement
N
Questioned Costs
-
Year
2023
Accepted
2024-02-29
Audit: 292954
Organization: Milwaukee Institute of Art and Design, Inc. (WI)
Auditor: Baker Tilly US LLP

AI Summary

  • Core Issue: The Institute lacks a formal policy documenting safeguards for risks identified in its risk assessment, violating compliance requirements under the Gramm-Leach-Bliley Act.
  • Impacted Requirements: The absence of a documented policy affects compliance with 16 CFR 314.4(b), which includes employee training, information systems management, and response to security threats.
  • Recommended Follow-Up: Management should create and formalize a comprehensive policy addressing the required areas, ensure annual reviews, and document approval processes for better compliance and internal controls.

Finding Text

2023-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests. Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b). Statement of Condition: The Institute performed a risk assessment however the safeguards for the risks identified were not formally documented through a policy. A formal policy was not reviewed in fiscal year 2023 which would have addressed required areas noted in 16 CFR 314.4 (b). Questioned Costs: Questioned costs could not be determined. Context: A policy and documentation linking the safeguards to the risk assessment was not formally written. The internal controls over compliance at the Institute did not identify the noncompliance. However, the Institute performed risk assessments and has appropriate safeguards for each area identified within 16 CFR 314.4(b). Cause: The Institute did not have internal controls in place to identify the need for the policy documenting the safeguards required by the Gramm-Leach-Bliley Act. Effect: The Institute has no documented policy and the related safeguards for each risk identified. Recommendation: We recommend management review 16 CFR 314.4 (b) to create a policy that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This policy should be formalized and reviewed annually. We recommend that the Institute document the approval and acceptance of the policy. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis. Management’s Response: Management agrees with the finding. The Institute is currently developing a comprehensive cyber-security policy to address 16 CFR 314.4 (b), which will be formalized, approved by Senior Staff, and reviewed annually. The Institute is now conducting annual penetration tests, the most recent in December 2023, to address internal control processes. The Institute has contracted with a planning team at CDW to determine best practices and perform training. The Institute has begun providing a quarterly GLBA Compliance update to our board, with an annual comprehensive GLBA review to the board.

Corrective Action Plan

Corrective Action Plan For the Year Ended May 31, 2023 Finding 2023-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests. Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b). Statement of Condition: The Institute performed a risk assessment however the safeguards for the risks identified were not formally documented through a policy. A formal policy was not reviewed in fiscal year 2023 which would have addressed required areas noted in 16 CFR 314.4 (b). Questioned Costs: Questioned costs could not be determined. Context: A policy and documentation linking the safeguards to the risk assessment was not formally written. The internal controls over compliance at the Institute did not identify the noncompliance. However, the Institute performed risk assessments and has appropriate safeguards for each area identified within 16 CFR 314.4(b). Cause: The Institute did not have internal controls in place to identify the need for the policy documenting the safeguards required by the Gramm-Leach-Bliley Act. Effect: The Institute has no verifiable evidence of the policy and the related safeguards for each risk identified. Recommendation: We recommend management review 16 CFR 314.4 (b) to create a policy that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This policy should be formalized and reviewed annually. We recommend that the Institute document the approval and acceptance of the policy. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis. Status: In progress, anticipated completion September 2024 Corrective Action: Management agrees with the finding. We are currently developing a comprehensive cybersecurity policy to address 16 CFR 314.4 (b), which will be formalized, approved by Senior Staff, and reviewed annually. We are now conducting annual penetration tests, the most recent in December 2023, to address internal control processes. We have contracted with a planning team at CDW to determine best practices and perform training. We have begun providing a quarterly GLBA Compliance update to our board, with an annual comprehensive GLBA review to the board. Contact Matt Ogden Director of Technology 414.847.3223 mattogden@miad.edu Submitted Feb 23, 2024

Categories

Special Tests & Provisions Subrecipient Monitoring Significant Deficiency Internal Control / Segregation of Duties

Other Findings in this Audit

  • 371240 2023-001
    Material Weakness
  • 371242 2023-001
    Material Weakness
  • 371243 2023-002
    Significant Deficiency
  • 371244 2023-001
    Material Weakness
  • 371245 2023-002
    Significant Deficiency
  • 371246 2023-001
    Material Weakness
  • 371247 2023-002
    Significant Deficiency
  • 947682 2023-001
    Material Weakness
  • 947683 2023-002
    Significant Deficiency
  • 947684 2023-001
    Material Weakness
  • 947685 2023-002
    Significant Deficiency
  • 947686 2023-001
    Material Weakness
  • 947687 2023-002
    Significant Deficiency
  • 947688 2023-001
    Material Weakness
  • 947689 2023-002
    Significant Deficiency

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $7.76M
84.063 Federal Pell Grant Program $1.77M
84.007 Federal Supplemental Educational Opportunity Grants $175,630
84.033 Federal Work-Study Program $84,944
84.126 Rehabilitation Services_vocational Rehabilitation Grants to States $7,608
42.025 Promotion of the Arts Partnership Agreements $4,000
84.334 Gaining Early Awareness and Readiness for Undergraduate Programs $3,500