FAC Explorer

Finding 967750 (2023-008)

Significant Deficiency
Requirement
N
Questioned Costs
-
Year
2023
Accepted
2024-04-01
Audit: 301881
Organization: Chestnut Hill College (PA)
Auditor: Cliftonlarsonallen LLP

AI Summary

  • Core Issue: The College lacks a written information security program, violating the Gramm-Leach-Bliley Act's requirements for safeguarding student financial aid information.
  • Impacted Requirements: Compliance with the Gramm-Leach-Bliley Act is essential for protecting sensitive data and ensuring institutions act as financial entities.
  • Recommended Follow-Up: The College must create and implement an approved information security program, including policies on IT security, risk assessment, and data management.

Finding Text

2023–008: Gramm-Leach-Bliley Act Federal agency: U.S. Department of Education Federal program title: Student Financial Aid Cluster Assistance Listing Numbers: 84.007, 84.033, 84.038, 84.063, 84.268, 84.379 Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). Condition: Under an institution’s Program Participation Agreement with the U.S. Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College had not developed and implemented an approved written information security program. Cause: The College did not develop and implement a written information security program as required by the Gramm-Leach-Bliley Act. Effect: The students’ personal information could be vulnerable. Repeat Finding: No Recommendation: The College should develop and implement an approved written information security program and verify there is a risk management section that describes how the College is identifying, assessing and communicating risks. In addition, there should be a description on the evaluation of safeguard sufficiency in mitigating risks. The information security program should also include the following: • IT Security Policy • Acceptable Use Policy • Incident Response Policy • Data Classification Policies • Vendor Management Policy • Patch Management Policy • Data Disposal Policy • Risk Assessment Policy • Logical Access and User Access Review Policies • Evidence of Review by CIO/CISO and responsibility of program Views of responsible officials: There is no disagreement with the finding.

Categories

Student Financial Aid Subrecipient Monitoring Significant Deficiency Internal Control / Segregation of Duties

Other Findings in this Audit

  • 391289 2023-002
    Significant Deficiency
  • 391290 2023-002
    Significant Deficiency
  • 391291 2023-002
    Significant Deficiency
  • 391292 2023-002
    Significant Deficiency
  • 391293 2023-002
    Significant Deficiency
  • 391294 2023-003
    Significant Deficiency
  • 391295 2023-003
    Significant Deficiency
  • 391296 2023-004
    Significant Deficiency
  • 391297 2023-005
    Significant Deficiency
  • 391298 2023-005
    Significant Deficiency
  • 391299 2023-005
    Significant Deficiency
  • 391300 2023-005
    Significant Deficiency
  • 391301 2023-006
    Significant Deficiency
  • 391302 2023-006
    Significant Deficiency
  • 391303 2023-007
    Significant Deficiency
  • 391304 2023-007
    Significant Deficiency
  • 391305 2023-007
    Significant Deficiency
  • 391306 2023-007
    Significant Deficiency
  • 391307 2023-008
    Significant Deficiency
  • 391308 2023-008
    Significant Deficiency
  • 391309 2023-008
    Significant Deficiency
  • 391310 2023-008
    Significant Deficiency
  • 391311 2023-008
    Significant Deficiency
  • 391312 2023-008
    Significant Deficiency
  • 967731 2023-002
    Significant Deficiency
  • 967732 2023-002
    Significant Deficiency
  • 967733 2023-002
    Significant Deficiency
  • 967734 2023-002
    Significant Deficiency
  • 967735 2023-002
    Significant Deficiency
  • 967736 2023-003
    Significant Deficiency
  • 967737 2023-003
    Significant Deficiency
  • 967738 2023-004
    Significant Deficiency
  • 967739 2023-005
    Significant Deficiency
  • 967740 2023-005
    Significant Deficiency
  • 967741 2023-005
    Significant Deficiency
  • 967742 2023-005
    Significant Deficiency
  • 967743 2023-006
    Significant Deficiency
  • 967744 2023-006
    Significant Deficiency
  • 967745 2023-007
    Significant Deficiency
  • 967746 2023-007
    Significant Deficiency
  • 967747 2023-007
    Significant Deficiency
  • 967748 2023-007
    Significant Deficiency
  • 967749 2023-008
    Significant Deficiency
  • 967751 2023-008
    Significant Deficiency
  • 967752 2023-008
    Significant Deficiency
  • 967753 2023-008
    Significant Deficiency
  • 967754 2023-008
    Significant Deficiency

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $13.47M
84.063 Federal Pell Grant Program $2.58M
84.031 Higher Education_institutional Aid $299,133
93.575 Child Care and Development Block Grant $257,431
84.038 Federal Perkins Loans Outstanding $204,559
84.007 Federal Supplemental Educational Opportunity Grants $173,496
84.033 Federal Work-Study Program $110,932
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $2,514