Finding Text
2023-002 Gramm-Leach-Bliley Act
Federal Agency: Department of Education
Federal Program: Student Financial Aid Cluster
CFDA Numbers: 84.007 – Federal Supplemental Education Opportunity Grants
84.033 – Federal Work Study Program
84.038 – Federal Perkins Loans
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
84.379 – Teacher Education Assistance for College and Higher Education Grants
Award Period: July 1, 2022 through June 30, 2023
Type of Finding: Significant Deficiency in Internal Control over Compliance and Other Matters
Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.
Questioned costs: None
Context: During our audit procedures, it was noted that the College did not prepare a formal risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks.
Cause: The College has hired a consultant to help with and enhance the implementation of the updated Gramm-Leach-Bliley Act requirements and that didn’t occur until late in the 2023 fiscal year.
Effect: The student personal information could potentially be vulnerable.
Repeat Finding: No
Recommendation: We recommend the College work with their consulting firm to review their documentation and ensure that there are documented safeguards for identified risks and the required documentation and practices are implemented. We also recommend reviewing the changes in the Gramm-Leach-Bliley Act regulations that were required to be implemented as of June 9, 2023.
Views of responsible officials: There is no disagreement with the audit finding.