Finding Text
2022-009: Special Tests and Provisions – The Gramm-Leach-Bliley Act (GLBA)
Federal Agency:
Department of Education
Federal Program Title:
Student Financial Aid Cluster
Assistance Listing Number:
84.007, 84.033, 84.063, 84.268
Award Number and Year: P007A215801 (March 25, 2021 - August 31, 2027),
P033A215801(July 1, 2021 - August 31, 2027),
P063P213807(March 23, 2021 - August 31, 2027),
P268K223807(January 1, 2021 - July 31, 2043)
Award Period: July 1, 2021 – June 30, 2022
Type of Finding: Material Weakness in Internal Control Over Compliance, Other Matters
Criteria or Specific Requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance- The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.
Questioned Costs: None
Context: During our audit procedures, it was noted that the University did not conduct a risk assessment that addresses (2) and (3) of the 3 areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks.
Cause: The University experienced turnover in the department responsible for this process and had a ransomware cyber-attack during the year ended June 30, 2022.
Effect: The student personal information could be vulnerable.
Repeat Finding: Yes – 2021-002.
Recommendation: We recommend the University engage a third party or perform the risk assessment for the two areas required by the Gramm-Leach-Bliley Act that have not been completed and documented and ensure that there are documented safeguards for identified risks.
Views of Responsible Officials: There is no disagreement with the audit finding.