After many years of working in higher education, I have learned one can never be over-prepared for the federal single audit that sweeps through colleges and universities annually. Outside of the typical audit objectives, it seemed that every year there were also more specific areas or initiatives the auditors concentrated on. As we approach the end of this fiscal year for most higher education institutions, we have noticed a more focused effort to address the requirements set forth by the Gramm-Leach-Bliley Act (GLBA). This focus on GLBA no doubt comes off the latest audit objectives in 2019 issued by the Office of Management and Budget (OMB) regarding GLBA compliance and the Federal Trade Commission (FTC) Safeguards Rule.
WAIT! You say. CampusGuard already issued a blog on GLBA and the new Safeguards Rule just ten months ago. That we did. We’ve seen so much activity in this space over the past year we felt it necessary to remind those of us who have been distracted by… I don’t know… a life-altering pandemic. In case you needed that reminder, we wanted to get it back on your radar so you can circumvent any potential audit findings.
Just prior to the COVID-19 pandemic, in February of 2020, the Office of Federal Student Aid (FSA) did release a notice outlining how FSA would handle compliance enforcement related to the Safeguards Rule audit findings.
In March of 2020, they also extended the reporting deadline for any audits with a fiscal year-end date on or before June 2020, by six months.
Although this may have bought you a little time, it is still important to work towards ensuring you have the appropriate controls in place. To prepare for the upcoming audit, make sure you review the suggested audit procedures in the 2019 Compliance Supplement.
- Designate an employee(s) to coordinate and be responsible for the information security program.
- Perform a risk assessment that addresses employee training and management, network and information systems, and incident response; and
- Make sure you have a documented safeguard for each risk identified form the risk assessment mentioned in the previous bullet.
Using a cybersecurity framework such as the NIST SP 800-171, as recommended by the Federal Student Aid (FSA), the recognized information security publication for protecting “Controlled Unclassified Information (CUI), can help meet those requirements and provide a comprehensive baseline for securing sensitive information across campus.
What can you do to make sure you are ready for this year’s audit? Work with your internal partners to collect and have documented evidence of compliance available for the suggested audit controls above. Your Information Technology and Security departments may have some, if not all, of the documentation you need. Ask your Internal Audit staff to review the current documentation to verify what you have will meet what they would expect an FSA auditor to deem as reasonable records. If you are unsure how or where to get started, use a trusted third-party for assistance with a more formal assessment prior to your scheduled audit to identify any potential gaps in your compliance program.
In the words of my more knowledgeable and charismatic colleague, Ed Ko, if you haven’t already started discussions at your institutions regarding the 2019 audit objective, there is no better time than now to begin.