By Adam Steinfurth, CPA
The Gramm-Leach-Bliley Act (Act or GLBA) requires schools that participate in Title IV to comply with the standards for safeguarding student information as set forth in 16 CFR 314. Student information is defined as any record containing nonpublic personal information whether in paper, electronic, or other form that is handled by you or on behalf of you or your affiliates.
Although compliance with the Act is required, the September 2016 Guide for Audits of Proprietary Schools and for Compliance Attestation Engagements of Third-Party Servicers Administering Title IV Programs does not contain any audit steps for checking compliance. Similarly, until recently, neither did the Compliance Supplement for audits conducted under 2 CFR Part 200 (Uniform Guidance) for Single Audits which covers nonprofit institutions.
Because it is not required, we have not been auditing a school’s compliance with this regulation. However, guidance has recently been issued in the 2019 Compliance Supplement to the Uniform Guidance for auditing the institution’s compliance with the Act. Although it does not apply to proprietary institutions. However, personnel from the U.S. Department of Education’s Office of Inspector General has indicated that these steps are going to be included in future audit guides for proprietary schools.
This new guidance specifies that the auditor should determine whether the institution designated an individual to coordinate the school’s information security program, performed a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) and documented safeguards for each risk identified. The three areas noted in 16 CFR 314.4(b) are 1) Employee training and management; 2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures.
While these audit requirements are not very in-depth, they require us to request new documentation from institutions. We suggest that you review your current GLBA documentation and verify that it meets the standards of 16 CFR 314.
As always, McClintock & Associates is available to answer any questions that you may have.