In early July, the Office of Management and Budget (OMB) published a 2019 Compliance Supplement for federal single audits. This supplement includes audit objectives for colleges and universities regarding compliance with the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule. The 2019 Compliance Supplement is effective for audits of fiscal years beginning after June 30, 2018 and also supersedes the 2017 and 2018 Compliance Supplements.
The new audit objectives should not be new news, as the U.S. Department of Education (DoE) Office of Federal Student Aid (FSA) stated in “Dear Colleague Letters” from 2015 and 2016 that it would “require the examination of evidence of GLBA compliance as part of institutions’ annual student aid compliance audit.” In fact, the DoE incorporated a Safeguards Rule compliance requirement in the Title IV Program Participation Agreement (PPA) in 2015 and all institutions that currently access federal student aid programs have already agreed to the language within the PPA.
The new audit objectives do not appear to be a deep-dive audit into your information security programs, but instead a check to establish that your institution has designed, implemented, and maintained an adequate information security program for meeting the core elements of the Safeguards Rule. The suggested audit procedures in the 2019 Compliance Supplement include verifying that the institution has:
- Designated an individual to coordinate the information security program;
- Performed a risk assessment that addresses employee training and management, network and information systems, and incident response; and
- Documented a safeguard for each risk identified from the assessment performed above.
Unfortunately, the audit objectives do not specify or suggest the format or types of documentation an auditor will require. Given the newness of the audit objective, the first audits may be bumpy rides, as auditors and the audit community likely will not yet have come together to establish a common and well-understood approach.
Prepare for this upcoming audit by ensuring you can provide documented evidence of compliance with the suggested audit controls above. Ask your own internal audit staff to review your evidence with a healthy level of skepticism. If you haven’t already started discussions at your institutions regarding the 2019 audit objective, there is no better time than now to begin.