Finding Text
Federal Agency: U.S. Department of Education
Federal Program Name: Student Financial Aid Cluster
Assistance Listing Number: 84.007, 84.033, 84.063, & 84.268
Federal Award Identification Number and Year: P007A224541-2023, P033A224541-2023, P063P222982-2023, & P268K232982-2023
Award Period: July 1, 2022 through June 30, 2023
Type of Finding:
• Significant Deficiency in Internal Control over Compliance
• Other Matters
Criteria or specific requirement: The District is responsible for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(4) and (6). The minimum safeguards include eight required written information security program elements. Two of these safeguards were omitted from the District’s written information security program. The District must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: For the year ended June 30, 2023, the District did not maintain a written information security program that address the implementation of two of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8).
Questioned costs: None
Context: The District did not have a written information security program that addressed two of the minimum safeguards during the year ended June 30, 2023.
Cause: The District’s policy reviews for compliance with noted requirements were not completed prior to the year ended June 30, 2023.
Effect: The District’s policies and procedures may not comply with all applicable requirements.
Repeat Finding: The finding is not a repeat finding.
Recommendation: We recommend the District review and update as necessary written information security program(s) to include aspects required by regulations.
Views of responsible officials: There is no disagreement with the audit finding.