Finding 499910 (2023-001)

Information on the Federal Program - Federal Pell Grant (ALN: 84.063); Federal Direct Loans (ALN: 84.268) Criteria or Specific Requirement – The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers. Under an institution’s Program Participation Agreement with the Department of Education (ED) and the GLBA, institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the federal student financial aid programs. Accordingly, institutions are required to develop, implement, and maintain a written comprehensive information security program. Condition – During our audit procedures, we noted that Centra’s written information security program did not meet all minimum requirements of the GLBA and therefore was not fully in compliance with the requirement. Cause – Insufficient internal controls and administrative oversight with respect to the Special tests and provisions (N) compliance requirement. Effect or Potential Effect – Centra is not fully in compliance with the GLBA requirement for the year ended December 31, 2023. Questioned Costs – None. Context – During 2023, Centra designated a qualified individual responsible for overseeing and implementing and enforcing a information security program (16 CFR 314.4(a)). However, the remaining six elements of the GLBA (16 CFR 314.4(b)–(g)) were still in process of being implemented as of December 31, 2023. As of December 31, 2023, six of the seven elements were either partially implemented or not implemented. Repeat Finding – This is a repeat of prior year finding 2022-001. Recommendation - We recommend that Centra maintain appropriate internal controls and administrative oversight in order to fully comply with the GLBA requiremenets of 16 CFR 314.4(b)–(g). Such would include (i) performance of a risk assessment; (ii) assessment, design, and implementation of safeguards; (iii) regularly test and monitor the safeguards; (iv) ensure ability to enact the information security program; (v) oversee service providers; and (vi) adjust in light of results of testing and monitoring. Views of Responsible Officials – Centra management agrees with this finding and is in process of implementing a corrective action plan.