FAC Explorer

Finding 519614 (2024-003)

- Repeat Finding
Requirement
N
Questioned Costs
-
Year
2024
Accepted
2025-01-17
Audit: 338706
Organization: Cleary University (MI)
Auditor: Capincrouse LLP

AI Summary

  • Core Issue: The University is not fully compliant with the GLBA requirements, specifically in vendor management policies.
  • Impacted Requirements: Compliance with 16 CFR 314.4 is incomplete, risking student information security.
  • Recommended Follow-Up: Allocate resources to finalize vendor management policies to achieve full GLBA compliance.

Finding Text

Gramm-Leach-Bliley Act (GLBA) Compliance DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, and 84.033 Student Financial Assistance Cluster Federal Award Identification #: 2023-2024 Award Year Condition: The University did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.4 Questioned Costs: $0 Context: The University has made progress from the prior year on GLBA compliance. The University has one remaining area left to implement relating to sufficient vendor management policies and reviews. Cause: The University has prioritized resources to address and document compliance with multi-factor authentication and risk assessment evaluation before implementing the vendor management requirements of GLBA. Effect: The University has not adequately addressed all the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Yes, 2023-003 Recommendation: We recommend the University allocate sufficient resources to address all remaining requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.

Corrective Action Plan

Gramm-Leach-Bliley Act (GLBA) Compliance Planned Corrective Action: To address the GLBA finding regarding sufficient vendor management policies and reviews, we are actively enhancing our oversight process by collecting security attestations (SOC or HECVAT) from all vendors. These attestations are being evaluated and translated into our newly developed risk matrix, which aligns with our broader risk management framework. This approach allows us to systematically assess each vendor's security posture and assign corresponding risk levels, ensuring compliance with GLBA requirements and supporting informed decision-making in vendor relationships Person Responsible for Corrective Action Plan: Eric Riddering, Chief Information Officer Anticipated Date of Completion: June 30, 2025

Categories

Subrecipient Monitoring

Other Findings in this Audit

  • 519609 2024-001
    Material Weakness Repeat
  • 519610 2024-001
    Material Weakness Repeat
  • 519611 2024-001
    Material Weakness Repeat
  • 519612 2024-002
    Significant Deficiency
  • 519613 2024-002
    Significant Deficiency
  • 519615 2024-003
    - Repeat
  • 519616 2024-003
    - Repeat
  • 519617 2024-003
    - Repeat
  • 1096051 2024-001
    Material Weakness Repeat
  • 1096052 2024-001
    Material Weakness Repeat
  • 1096053 2024-001
    Material Weakness Repeat
  • 1096054 2024-002
    Significant Deficiency
  • 1096055 2024-002
    Significant Deficiency
  • 1096056 2024-003
    - Repeat
  • 1096057 2024-003
    - Repeat
  • 1096058 2024-003
    - Repeat
  • 1096059 2024-003
    - Repeat

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $5.49M
84.063 Federal Pell Grant Program $1.49M
84.007 Federal Supplemental Educational Opportunity Grants $74,929
84.033 Federal Work-Study Program $26,250