FAC Explorer

Finding 962755 (2023-002)

Significant Deficiency
Requirement
N
Questioned Costs
-
Year
2023
Accepted
2024-03-27
Audit: 298705
Organization: Marymount University (VA)
Auditor: Cliftonlarsonallen LLP

AI Summary

  • Core Issue: The University failed to conduct a required IT risk assessment, putting student financial aid information at risk.
  • Impacted Requirements: Non-compliance with the Gramm-Leach-Bliley Act, specifically regarding safeguarding sensitive data and documenting risk management practices.
  • Recommended Follow-Up: Engage a third party to perform the necessary risk assessment and establish documented safeguards for identified risks.

Finding Text

2023–002: Gramm-Leach-Bliley Act Federal agency: U.S. Department of Education Federal program title: Student Financial Aid Cluster Assistance Listing Numbers: 84.007, 84.268, 84.033, 84.038, 84.063 Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). Condition: Under an institution’s Program Participation Agreement with the U.S. Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the University did not perform and document a risk assessment that addresses certain of the elements noted in 16 CFR 314.4 (b) which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The University did not perform an IT risk assessment tailored specifically to the University, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The students’ personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University engage a third party or perform the risk assessment for the areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: Please refer to the attached corrective action plan.

Categories

Student Financial Aid Subrecipient Monitoring Significant Deficiency Internal Control / Segregation of Duties

Other Findings in this Audit

  • 386303 2023-002
    Significant Deficiency
  • 386304 2023-003
    Significant Deficiency
  • 386305 2023-004
    Significant Deficiency
  • 386306 2023-002
    Significant Deficiency
  • 386307 2023-003
    Significant Deficiency
  • 386308 2023-004
    Significant Deficiency
  • 386309 2023-005
    Significant Deficiency
  • 386310 2023-002
    Significant Deficiency
  • 386311 2023-003
    Significant Deficiency
  • 386312 2023-004
    Significant Deficiency
  • 386313 2023-002
    Significant Deficiency
  • 386314 2023-003
    Significant Deficiency
  • 386315 2023-004
    Significant Deficiency
  • 386316 2023-002
    Significant Deficiency
  • 386317 2023-003
    Significant Deficiency
  • 386318 2023-004
    Significant Deficiency
  • 962745 2023-002
    Significant Deficiency
  • 962746 2023-003
    Significant Deficiency
  • 962747 2023-004
    Significant Deficiency
  • 962748 2023-002
    Significant Deficiency
  • 962749 2023-003
    Significant Deficiency
  • 962750 2023-004
    Significant Deficiency
  • 962751 2023-005
    Significant Deficiency
  • 962752 2023-002
    Significant Deficiency
  • 962753 2023-003
    Significant Deficiency
  • 962754 2023-004
    Significant Deficiency
  • 962756 2023-003
    Significant Deficiency
  • 962757 2023-004
    Significant Deficiency
  • 962758 2023-002
    Significant Deficiency
  • 962759 2023-003
    Significant Deficiency
  • 962760 2023-004
    Significant Deficiency

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $34.99M
84.063 Federal Pell Grant Program $2.70M
84.038 Federal Perkins Loan Program $413,760
93.732 Mental and Behavioral Health Education and Training Grants $308,023
47.076 Education and Human Resources $258,860
84.007 Federal Supplemental Educational Opportunity Grants $171,065
84.031 Higher Education_institutional Aid $98,981
84.033 Federal Work-Study Program $83,742
93.243 Substance Abuse and Mental Health Services_projects of Regional and National Significance $20,971
12.903 Gencyber Grants Program $19,684
93.761 Evidence-Based Falls Prevention Programs Financed Solely by Prevention and Public Health Funds (pphf) $668
93.866 Aging Research $376