Finding 399273 (2023-001)

Federal Agency: Department of Education Federal Program: Student Financial Assistance Cluster Assistance Listing Numbers: 84.007 – Federal Supplemental Education Opportunity Grants 84.033 – Federal Work Study Program 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans Federal Award Identification Number and Year: N/A Award Period: September 1, 2022 to August 31, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). In addition, per Uniform Guidance 2 CFR 200.303, federal entities receiving federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None Context: During our review of the GLBA reports for Alamo Community College District, we noted one of the eight required GLBA safeguards was missing from the written information security plan (District’s Enterprise Data Governance Standard), and there was no review of the plan. Cause: The Enterprise Data Governance Standard did not include one of the required GLBA safeguards. Effect: The District is not in full compliance with GLBA. Repeat Finding: No Recommendation: We recommend that the District review the updated GLBA requirements and ensure their Enterprise Data Governance Standard includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding. The District has a plan to correct the finding.