Finding Text
2022-007 Special Tests and Provisions Federal Agency: U.S. Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing No. 84.063, 84.268 Federal Award Identification Number and Year: P063P218567-2022, P268K228567-2022 Award Periods: July 1, 2021 through June 30, 2022 Type of Finding: ? Significant Deficiency in Internal Control Over Compliance ? Other Matters Criteria or specific requirement: The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR 314.4 (b)), requires customers to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 1. Employee training and management; 2. Information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and 3. Detecting, preventing, and responding to attacks, intrusions, or other system failures. Uniform Grant Guidance (2 CFR 200.303) requires nonfederal entities receiving Federal awards establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures for timely review of the Information Security Program and proper documentation of the risk assessments. Condition: As a requirement under the College's Program Participation Agreement with the Department of Education, the College must protect student financial aid information. However, during our testing, we noted the College had not properly conducted a risk assessment identifying all internal and external risks to the security, confidentiality, and the integrity of the students? information. Questioned Costs: None Context: As a requirement under the College's Program Participation Agreement with the Department of Education, the College must protect student financial aid information. However, during our testing, we noted the College had not properly conducted a risk assessment identifying all internal and external risks to the security, confidentiality, and the integrity of the students? information. Cause: The College did not have the appropriate resources and staffing in place to verify they were in compliance with all requirements. Effect: Without documentation of a proper risk assessment, the College is at risk of noncompliance with the GLBA. In addition, there is a risk the College?s information and systems could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. Repeat findings: 2021-010 Recommendation: We recommend the College design controls to ensure an adequate review process is in place to ensure compliance with reporting requirements. After year end, the College engaged CLA to assist with the GLBA process for the next fiscal year. Views of Responsible Officials: There is no disagreement with the audit finding.