FAC Explorer

Finding 6095 (2023-001)

Significant Deficiency
Requirement
N
Questioned Costs
-
Year
2023
Accepted
2023-12-21
Audit: 7973
Organization: Columbia International University and Subsidiaries (SC)
Auditor: Capincrouse LLP

AI Summary

  • Core Issue: The University is not fully compliant with the updated requirements of the Gramm-Leach-Bliley Act (GLBA), risking student information security.
  • Impacted Requirements: Key areas include the information security program, risk assessments, multi-factor authentication, vendor management, and annual reporting.
  • Recommended Follow-Up: Allocate necessary resources to meet GLBA requirements and implement corrective actions as agreed by management.

Finding Text

Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, and 84.033 - Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with the updated requirements of GLBA. Criteria: 16 CFR 314.4 Questioned Costs: $0 Context: The University has not updated the information security program for legislative changes in 2023; sufficiently documented its security risk assessment and safeguards, including encryption, data retention and disposal, and user access reviews; implemented multi-factor authentication on all systems containing personally identifiable information (PII); implemented sufficient vendor management policies and reviews; and provided a written, annual report to the board. Cause: The University has not allocated sufficient resources to address and document compliance with the updated requirements of GLBA. Effect: The University has not adequately addressed the updated requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable. Recommendation: We recommend the University allocate sufficient resources to address all updated requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.

Corrective Action Plan

Gramm-Leach-Bliley Act (GLBA) Compliance Planned Corrective Action: 1. The security program documentation will be updated to reflect actions required by the June 2023 GLBA legislative changes. 2. The information and technology risk management activities logged and captured in supplemental documentation will be included in the master security program documentation going forward. 3. Active technology projects and roadmap initiatives that impact GLBA compliance will be expedited. Person Responsible for Corrective Action Plan: Tirrell Howell, Vice President of Information Technology Anticipated Date of Completion: May 31, 2024

Categories

Subrecipient Monitoring Significant Deficiency

Other Findings in this Audit

  • 6096 2023-001
    Significant Deficiency
  • 6097 2023-001
    Significant Deficiency
  • 6098 2023-001
    Significant Deficiency
  • 6099 2023-002
    Significant Deficiency Repeat
  • 6100 2023-002
    Significant Deficiency Repeat
  • 6101 2023-002
    Significant Deficiency Repeat
  • 582537 2023-001
    Significant Deficiency
  • 582538 2023-001
    Significant Deficiency
  • 582539 2023-001
    Significant Deficiency
  • 582540 2023-001
    Significant Deficiency
  • 582541 2023-002
    Significant Deficiency Repeat
  • 582542 2023-002
    Significant Deficiency Repeat
  • 582543 2023-002
    Significant Deficiency Repeat

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $10.44M
84.063 Federal Pell Grant Program $1.71M
84.215 Fund for the Improvement of Education $608,922
84.033 Federal Work-Study Program $97,226
84.425 Education Stabilization Fund $84,737
84.007 Federal Supplemental Educational Opportunity Grants $60,287