Finding 627135 (2022-001)

2022-001 ? Special tests and provisions Information on Federal Program(s) - Federal Pell Grant (ALN: 84.063); Federal Direct Loans (ALN: 84.268) Criteria or Specific Requirement ? The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers. Under an institution?s Program Participation Agreement with the ED and the Gramm-Leach-Bliley Act, institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the federal student financial aid programs. Accordingly, the Gramm-Leach-Bliley Act of the Special tests and provisions (N) compliance requirement states that the institution must designate an employee or employees to coordinate the information security program, perform a risk assessment that addresses the three required areas noted in 16 CFR 314.4 (b), and document safeguards for identified risks. Condition ? During our review of the special tests and provisions (N) compliance requirement, we noted that Centra did not perform the Gramm-Leach-Bliley Act risk assessment during the year under audit and therefore was not in compliance with the requirement. Cause ? Insufficient internal controls and administrative oversight with respect to the Special tests and provisions (N) compliance requirement. Effect or Potential Effect ? Centra is not in compliance with the Gramm-Leach-Bliley Act requirement for the year ended December 31, 2022. Questioned Costs ? None. Context ? Centra did not perform the Gramm-Leach-Bliley Act risk assessment for the year under audit. Recommendation - We recommend that Centra maintain appropriate internal controls and administrative oversight in order to comply with the special tests and provisions (N) compliance requirement and to designate an employee or employees to coordinate the information security program, perform a risk assessment that addresses the three required areas noted in 16 CFR 314.4 (b), and document safeguards for identified risks. Views of Responsible Officials ? Centra management agrees with this finding. While Centra had information security measures in place during the 2022 audit year, Centra was not aware of the specific GLBA requirements and did not complete the required risk assessment or have a designated individual responsible for coordinating the assessment. Centra has taken measures to ensure compliance going forward.