GLBA Safeguards Rule Audit Objective

Article GLBA
GLBA Safeguards


In early July, the Office of Management and Budget (OMB) published a 2019 Compliance Supplement for federal single audits. This supplement includes audit objectives for colleges and universities regarding compliance with the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule. The 2019 Compliance Supplement is effective for audits of fiscal years beginning after June 30, 2018 and also supersedes the 2017 and 2018 Compliance Supplements.

The new audit objectives should not be new news, as the U.S. Department of Education (DoE) Office of Federal Student Aid (FSA) stated in “Dear Colleague Letters” from 2015 and 2016 that it would “require the examination of evidence of GLBA compliance as part of institutions’ annual student aid compliance audit.” In fact, the DoE incorporated a Safeguards Rule compliance requirement in the Title IV Program Participation Agreement (PPA) in 2015 and all institutions that currently access federal student aid programs have already agreed to the language within the PPA.

The new audit objectives do not appear to be a deep-dive audit into your information security programs, but instead a check to establish that your institution has designed, implemented, and maintained an adequate information security program for meeting the core elements of the Safeguards Rule. The suggested audit procedures in the 2019 Compliance Supplement include verifying that the institution has:

  •  Designated an individual to coordinate the information security program;
  • Performed a risk assessment that addresses employee training and management, network and information systems, and incident response; and
  • Documented a safeguard for each risk identified from the assessment performed above.

Unfortunately, the audit objectives do not specify or suggest the format or types of documentation an auditor will require. Given the newness of the audit objective, the first audits may be bumpy rides, as auditors and the audit community likely will not yet have come together to establish a common and well-understood approach.

Prepare for this upcoming audit by ensuring you can provide documented evidence of compliance with the suggested audit controls above. Ask your own internal audit staff to review your evidence with a healthy level of skepticism. If you haven’t already started discussions at your institutions regarding the 2019 audit objective, there is no better time than now to begin.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.