Finding Text
2023-008 Special Tests and Provisions
Federal Agency: U.S. Department of Education
Federal Program Title: Student Financial Assistance Cluster
Assistance Listing No. 84.063, 84.268
Federal Award Identification Number and Year: P063P218567-2023, P268K228567-2023
Award Periods: July 1, 2022 through June 30, 2023
Type of Finding:
- Significant Deficiency in Internal Control Over Compliance
- Other Matters
Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The regulation states that the college must designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program. (16 CFR 314.4(a)). The entity shall have a Written Information Security Program (WISP) that outlines the design and implementation of the risk assessment procedures. (16 CFR 314.4(b)). At a minimum, the institution's written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Per 2 CFR 200.303, nonfederal entities receiving federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements.
Condition: The College has now created a Written Information Security Program; however, the College did not meet the minimum requirements stated in the Gramm-Leach-Bliley Act. Additionally, the College
did not designate a qualified individual responsible for overseeing and implementing the information and security program.
Questioned Costs: None
Context: The College now has a Written Information Security Program; however, the College did not meet the minimum requirements stated in the Gramm-Leach-Bliley Act. Additionally, the College did not designate a qualified individual responsible for overseeing and implementing the information and security program.
Cause: The College did not have the appropriate resources and staffing in place to verify they were in compliance with all requirements.
Effect: There is a risk the College’s information and systems could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner.
Repeat findings: 2022-007
Recommendation: We recommend the College design controls to ensure an adequate review process is in place to ensure compliance with reporting requirements.
Views of Responsible Officials: There is no disagreement with the audit finding.