Finding Text
2023-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b).
Statement of Condition: The Institute performed a risk assessment however the safeguards for the risks identified were not formally documented through a policy. A formal policy was not reviewed in fiscal year 2023 which would have addressed required areas noted in 16 CFR 314.4 (b).
Questioned Costs: Questioned costs could not be determined.
Context: A policy and documentation linking the safeguards to the risk assessment was not formally written. The internal controls over compliance at the Institute did not identify the noncompliance. However, the Institute performed risk assessments and has appropriate safeguards for each area identified within 16 CFR 314.4(b).
Cause: The Institute did not have internal controls in place to identify the need for the policy documenting the safeguards required by the Gramm-Leach-Bliley Act.
Effect: The Institute has no documented policy and the related safeguards for each risk identified.
Recommendation: We recommend management review 16 CFR 314.4 (b) to create a policy that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This policy should be formalized and reviewed annually. We recommend that the Institute document the approval and acceptance of the policy. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis.
Management’s Response: Management agrees with the finding. The Institute is currently developing a comprehensive cyber-security policy to address 16 CFR 314.4 (b), which will be formalized, approved by Senior Staff, and reviewed annually. The Institute is now conducting annual penetration tests, the most recent in December 2023, to address internal control processes. The Institute has contracted with a planning team at CDW to determine best practices and perform training. The Institute has begun providing a quarterly GLBA Compliance update to our board, with an annual comprehensive GLBA review to the board.