FAC Explorer

Finding 517988 (2024-001)

-
Requirement
N
Questioned Costs
-
Year
2024
Accepted
2025-01-07
Audit: 336252
Organization: Monmouth College (IL)
Auditor: Sikich CPA LLC

AI Summary

  • Core Issue: The College lacks a written information security program and risk assessment, violating GLBA standards for safeguarding customer information.
  • Impacted Requirements: Failure to protect data from the Department of Education affects compliance with Title IV program administration.
  • Recommended Follow-Up: Develop a formal security program and conduct a risk assessment to meet regulatory requirements and await further guidance from the Department of Education.

Finding Text

2024-001 – Student Financial Assistance Cluster – (a) Federal Supplemental Educational Opportunity Grants (b) Federal Work Study Program (c) Federal Perkins Loan Program (d) Federal Pell Grant Program (e) Federal Direct Student Loans (f) Teacher Education Assistance for College and Higher Education Grants, Assistance Listing No. (a) 84.007 (b) 84.033 (c) 84.038 (d) 84.063 (e) 84.268 (f) 84.379 – Year Ended June 30, 2024 Criteria: Institutions shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in the objectives of section 501(b) of the Act (16 CFR 314.3(a)). Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). Condition: The College did not implement a written information security program and a risk assessment as part of the Gramm-Leach-Bliley Act’s (GLBA) standards for safeguarding customer information. We consider this finding to be an instance of noncompliance in relation to Special Tests and Provisions. Statistical sampling was not used in making sample selections. Questioned Costs: N/A Effect: The result is the College did not meet the requirements for protecting and securing data obtained from the Department of Education’s systems for the purpose of administering the Title IV programs. Recommendation: We recommend the College complete a formal security information program and risk assessment to adhere to the regulations and await guidance from the Department of Education. Views of Responsible Officials: Management agrees with this Single Audit Finding and response is included in the Corrective Action Plan.

Corrective Action Plan

2024-001 – Student Financial Assistance Cluster – (a) Federal Supplemental Educational Opportunity Grants (b) Federal Work Study Program (c) Federal Perkins Loan Program (d) Federal Pell Grant Program (e) Federal Direct Student Loans (f) Teacher Education Assistance for College and Higher Education Grants, Assistance Listing No. (a) 84.007 (b) 84.033 (c) 84.038 (d) 84.063 (e) 84.268 (f) 84.379 – Year Ended June 30, 2024 Criteria: Institutions shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in the objectives of section 501(b) of the Act (16 CFR 314.3(a)). Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). Condition: The College did not implement a written information security program and a risk assessment as part of the Gramm-Leach-Bliley Act’s (GLBA) standards for safeguarding customer information. We consider this finding to be an instance of noncompliance in relation to Special Tests and Provisions. Statistical sampling was not used in making sample selections. Corrective Action Plan: We are currently working with our IT vendors (CampusWorks and Lockstep) on policies and increasing GLBA compliance. Responsible Person for Corrective Action Plan: Holly Tharp, Vice President for Finance and Business Implementation Date for Corrective Action Plan: June 30, 2025

Categories

Student Financial Aid Special Tests & Provisions Subrecipient Monitoring Matching / Level of Effort / Earmarking

Other Findings in this Audit

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $5.97M
84.063 Federal Pell Grant Program $1.46M
84.038 Federal Perkins Loan Program $385,517
84.215 Innovative Approaches to Literacy; Promise Neighborhoods; Full-Service Community Schools; and Congressionally Directed Spending for Elementary and Secondary Education Community Projects $235,920
84.007 Federal Supplemental Educational Opportunity Grants $192,138
84.033 Federal Work-Study Program $121,127
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $26,404
45.160 Promotion of the Humanities Fellowships and Stipends $21,029