Finding Text
2023-002
Agencies: U.S Department of Education
Federal Assistance Listing Number: 84.038, 84.063, 84.007, 84.033, and 84.268
Programs: Student financial assistance cluster
Finding Type: Noncompliance and significant deficiency in internal control over compliance relating to special tests
Criteria: The College is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm- Leach-Bliley Act, including a written information security program policy that addresses the six required minimum safeguard elements identified within 16 Code of Federal Regulations (CFR) 314.4(b).
Statement of Condition: A formal written policy was not completed and documented in fiscal 2023 as required by 16 CFR 314.4 (b).
Questioned Costs: The amount of questioned costs could not be determined.
Context: The College did not have a written procedure policy that outlined the design and implementation of the Gramm-Leach-Bliley Act safeguards for each area identified within 16 CFR 314.4 (b), therefore the College did not comply with the compliance requirement. However, the College has safeguards for each area identified within 16 CFR 314.4 (b).
Cause: The College did not have internal controls in place to address the risk assessment required by the Gramm-Leach-Bliley Act (GLBA).
Effect: The Institute has no documentation of the risk assessment performed and the related safeguards for each risk identified.
Recommendation: We recommend management review 16 CFR 314.4 (b) to perform a risk assessment that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This risk assessment should be documented, and we recommend that the College document the approval and acceptance of the risk assessment. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis.
Management Response: Management is in agreement with the finding. The College is working with a cybersecurity partner to assist with GLBA compliance and cybersecurity hardening of the College’s
infrastructure. The cybersecurity partner will assist in preparing the required documentation that addresses the risk assessment of the areas noted in the finding.