Finding Text
Federal Agency: U.S. Department of Education
Federal Program Name: Student Financial Assistance Cluster
Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program)
Pass-Through Agency: N/A
Pass-Through Number(s): N/A
Award Period: June 1, 2023 – May 31, 2024
Type of Finding:
• Significant Deficiency in Internal Control over Compliance
• Other Matters
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Code of Federal Regulations 2 CFR 200.303 requires the University to establish and maintain effective internal controls over Federal awards. Condition: During our testing of the University’s information technology, we noted the University did not maintain a comprehensive written security program that included the minimum required elements. The University does perform all procedures required by the Gramm-Leach-Bliley Act, however, these procedures are not formally documented.
Questioned costs: None
Context: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.
Cause: The University has continued to make progress in updating the University’s written security program to become in compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process.
Effect: The student personal information could be vulnerable.
Repeat finding: No
Recommendation: We recommend the University work to update the written security program to ensure compliance with all the standards.
Views of responsible officials: There is no disagreement with the audit finding.