Higher Education

Article Dean Dorton

The latest COVID-19 relief package passed by Congress has provided additional funding for Higher Education Relief. The package, titled the Consolidated Appropriations Act of 2021 (the “Act”), also included a new paycheck protection program and many other relief packages and tax changes. This article discusses the key components of the new higher education relief funding.

Colleges and Universities will receive an additional $23B to help relieve some of the impacts of the pandemic. The Act creates a new and complex formula for allocating these funds than what was used in the CARES Act, and it was difficult to immediately estimate how much each institution will get.

As with the CARES Act, institutions must distribute at least 50% of the funds received directly to students in the form of emergency grants. The remaining funds can be used for the following purposes:

  • Defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll);
  • Carry out student support activities authorized by the HEA that address needs related to coronavirus; or
  • Provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for any component of the student’s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, health care (including mental health care), or child care. In making financial aid grants to students, an institution of higher education shall prioritize grants to students with exceptional need, such as students who receive Pell Grants.

No funds received by an institution of higher education under from the Higher Education Emergency Relief Funds shall be used to fund contractors for the provision of pre-enrollment recruitment activities; marketing or recruitment; endowments; capital outlays associated with facilities related to athletics, sectarian instruction, or religious worship; senior administrator or executive salaries, benefits, bonuses, contracts, incentives; stock buybacks, shareholder dividends, capital distributions, and stock options; or any other cash or other benefit for a senior administrator or executive.

An institution that was required to remit payment to the Internal Revenue Service for the excise tax based on investment income of private colleges and universities under section 4968 of the Internal Revenue Code of 1986 for tax year 2019 shall have its allocation under this section reduced by 50 percent and may only use funds to provide financial aid grants to students or for sanitation, personal protective equipment, or other expenses associated with the general health and safety of the campus environment related to the qualifying emergency.

The Act also includes major changes to student financial aid including a simplification of FASFA form. There are also changes in how eligibility for Pell Grants is determined that should make it easier for lower-income students to receive the maximum amount of federal student aid.

As with the CARES Act, there will be mandatory reporting and audit requirements.

Do you have questions about the upcoming bill? Contact your Dean Dorton advisor, or contact us at:

insights@deandorton.com

Article Dean Dorton

The National Association of Student Financial Aid Administrations (NASFAA) has released guidance related to the reporting of the Higher Education Emergency Relief Funds (HEERF) as part of the Coronavirus Aid, Relief and Economic Security Act (CARES Act). Based upon this guidance, payments under HEERF should be reported on the 1098-T in Box 5.

See more information and background here:

NASFAA Q&A

Question: Are Emergency FSEOG and Higher Education Emergency Relief Fund Student Grants Reported On IRS Form 1098-T?

Answer: Yes. Higher Education Emergency Relief Fund grants to students and Emergency Federal Supplemental Educational Opportunity Grant (FSEOG) awards are included on IRS Form 1098-T.

According to the National Association of College and University Business Officers (NACUBO), the 26 CFR 1.6050S-1 reporting requirements for the 1098-T are still in effect and require all schools to report all “grant aid processed and administered by the institution.” HEERF grants to students and Emergency FSEOG amounts should appear in Box 5.

Further, the IRS FAQs: Higher Education Emergency Relief Fund and Emergency Financial Aid Grants under the CARES Act make it clear that students cannot claim any education credits or deductions, so the emergency grant amounts should not appear in Box 1 of the 1098-T.

Note: The IRS collects the 1098-T, not to determine whether the student has taxable scholarships or grants, but to provide documentation allowing the IRS to ensure that students claiming the American Opportunity Credit and Lifetime Learning Credit have not paid all of their tuition and fees costs with grants and scholarships.

Any additional questions on this topic go directly to the IRS or the school’s business office, as tax rules and regulations are not within NASFAA’s area of Title IV expertise.

For more information on how the Coronavirus is impacting businesses across multiple industries, visit our COVID-19 resource page:

COVID-19 Resources

Article Dean Dorton

The five year wait is finally over. In 2014 the Department of Education (ED) issued a Dear Colleague Letter notifying Colleges and Universities they would need to be compliant with data safeguard rules applicable to the Gramm-Leach-Bliley Act (GLBA). The 2019 OMB Compliance Supplement was released July 1, 2019 and it does include new GLBA Data Safeguard requirements.

What is GLBA & How Does it Affect Higher Education?

In order to operate successfully, colleges and universities must acquire and maintain an incredible amount of sensitive student personal and financial information. So it is vital — and incumbent upon those institutions — to keep this information safe and well protected at all times.

The Gramm-Leach-Bliley Act (GLBA) is in place to address a variety of consumer financial privacy concerns, including those related to the transfer and safety of personal and financial information of college students.

Enacted in 1999, GLBA is a regulation under the Federal Trade Commission (FTC) that requires financial institutions to be transparent about information sharing practices and to safeguard sensitive information. Also called the Financial Services Modernization Act of 1999, the purpose of the GLBA was to allow consumers to take advantage of the benefits of financial mergers while maintaining the integrity and security of banking and financial systems.

It’s important to note that GLBA only applies to Colleges and Universities under Title IV due to the administration of student financial aid programs. Also, it is effective for Colleges and Universities with fiscal year ends ending June 30, 2019 or later.

While we have had plenty of time to plan for GLBA and pour over the guidance issued since 2014, the guidance was not very specific. We were not entirely sure what to expect. The 2019 Compliance Supplement does not contain all the GLBA Safeguards Rule elements, but only a subset. Will more come? Is the plan to phase additional requirements in each year? Will these be all we see? The answers are, “We do not know at this point,” and no guidance has been provided yet on future plans. Either way, the good news is the first year requirements are less stringent than they could have been.

So what are the rules? They are summarized in the following three audit procedures:

  1. Verify that the institution has designated an individual to coordinate the information security program.
  2. Verify that the institution has performed a risk assessment that addresses the following three required areas.
    • Employee training and management;
    • Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
    • Detecting, preventing and responding to attacks, intrusions, or other systems failures
  1. Verify that the institution has documented a safeguard for each risk identified.

How to Stay Compliant with the Safeguards Rule?

The Safeguards Rule makes it imperative for higher education institutions to create and maintain an information security plan that follows certain parameters to adequately protect customer information. GLBA Safeguards Rule requirements for colleges and universities include:

  • Development of a written plan that describes their program to protect customer information, and must be suitable for the institution’s size and complexity, and sufficient for the nature of the activities and sensitivity of the information involved.
  • One or more employees to be designated to (and will be responsible for) coordinating the safety program.
  • A method to identify and assess current risks to customer information in each relevant area of the informational system, and evaluate the effectiveness of the way these risks are currently controlled.
  • Safeguards for potential risks must be set in place and routinely tested and monitored.
  • Service providers must be qualified to maintain appropriate safeguards.
  • Evaluations and adjustments when relevant situations arise, like changes in business operations or results of security testing.

These regulations are designed to provide the flexibility colleges and universities need to create security programs based on the institution’s unique size, scope, and context. For any information security plan to work effectively, all employees should be aware of the policy and how it works, and it’s recommended that frequent reminders be posted to help employees recall the requirements and understand the legal ramifications of failure to comply.

Risks of Non-Compliance

As cyberattacks continue to become more sophisticated, devious, and frequent, colleges and universities are becoming prime targets of hackers and ransomware. As they will continue to experience the consequences of major computer system breaches, the U.S. Department of Education (ED) has emphasized the importance of colleges and universities taking appropriate measures to protect sensitive data. 

Failure to maintain compliance with FTC regulations can lead to serious consequences, including fines and public reports that make institutions in question far less attractive to incoming students. Perhaps most importantly, colleges and universities that suffer cybersecurity breaches are at risk of restricted or complete loss of Title IV funding, making them ineligible to participate in federally funded financial aid programs. 

3 Tips for Higher Education Institutions to Maintain GLBA Compliance

To provide peace of mind for parents, students, and the institutions themselves, certain precautions can be taken to make it easier to follow GLBA standards. These include:

1. Take Special Precautions When Hiring New Employees 

Check references and backgrounds for those who will be responsible for sensitive information, limit access to sensitive information, and require strong passwords that must be changed routinely.

2. Routinely Remind Employees of Important Information Safety Policies and Disciplinary Actions

Policies should be shared with employees and posted where they can be easily accessed, with reminders about specific disciplinary measures for all policies.

3. Maintain a Strong Working Relationship With Your Software Developers

Monitor the websites of your software vendors for recent information about emerging threats, check with vendors for patches that reveal vulnerabilities, and use antivirus and spyware programs that update automatically and maintain up-to-date firewalls.

Dean Dorton’s IT Audit and Cybersecurity Assessment team specialize in providing IT risk assessments and audits to help keep colleges and universities compliant with the new GLBA Data Safeguard requirements. Is your institution too small to hire an information security officer? We understand the budget constraints on today’s colleges and universities and can provide team members to be your institution’s information security officer and consulting around hiring and coordinating your information security program.

Article Dean Dorton

Did you know that most higher education institutions will be required to meet new data protection standards starting May 25, 2018?

The European Union’s General Data Protection Regulation (GDPR) will affect institutions that recruit EU students, have alumni or donors residing in the EU, or offer study abroad programs there.  It is not yet clear how the regulations will be enforced and penalties assessed against U.S. institutions, but the maximum fine can be up to 20 million Euros based on severity and other factors.

Institutions are encouraged to get out in front of this regulation before it arrives at their doorstep!  Below are some of the specific data protection requirements that may be different than what you currently have in place:

  • Must obtain consent before collecting data from someone.
  • Must notify affected persons of a data breach within 72 hours.
  • Must provide data subjects a free electronic copy of their personal data when requested.
  • Data subjects have the right to be “forgotten”, meaning erasure of their personal data and cessation of its dissemination.
  • Must allow personal data to be portable in an electronic format for the subject’s own use.
  • Data systems must be built with privacy by design using appropriate technical security measures.
  • A qualified Data Protection Officer must be appointed by organizations that process personal data and have over 250 employees.

If you would like more information on these new standards or would like assistance in assessing your readiness for GDPR, please contact Jason Whitaker at jwhitaker@ddaftech.com or Megan Crane at mcrane@deandorton.com.

Article Dean Dorton

The United States Department of Education (DOE) has sent friendly notices for two years in a row reminding colleges and universities of their requirement to comply with the strict guidelines for protecting student financial aid information. Cybersecurity should be near the top of every organization’s priority list, but for higher education institutions it should be elevated even further. Given that the DOE has provided two warnings to date, we should assume they plan to take a stricter stance on cybersecurity infrastructure, protection, and controls during compliance audits.

Cybersecurity: A Critical Boardroom Topic

Many organizations quickly punt the topic of cybersecurity to the IT department. While IT plays a huge role in cybersecurity, it is the responsibility of those charged with organization governance to ensure compliance is met. Board members and senior leadership should be asking the questions and confirming that the institution is devoting the proper resources and attention to cybersecurity.

  • It is also critical to understand that cybersecurity is not a one-time project. It is a continual evolution and initiative.
  • Leadership needs to also recognize there can be substantial costs associated with cybersecurity activities and they are not optional. The DOE letter makes this point very clear when they state “The Department understands the investment and effort required by institutions to meet and maintain the security standards established in NIST SP 800-171. Nonetheless, across the public and private sectors, it is imperative that organizations continue to enhance cybersecurity in order to meet evolving threats to controlled unclassified information and challenges to the security of such organizations.”

With the ongoing focus on higher education institution’s bottom lines, it might be tempting to defer projects related to cybersecurity to reduce budgets. However, doing so could put your institution in a position where the DOE finds your organization in noncompliance with your Program Participation Agreement (PPA) with Title IV student financial aid. Cutting corners on cybersecurity compliance could wind up costing your institution more in the long run.

The Time to Act is Now

At this point, most organizations have some form of information security or cybersecurity policies in place, but do yours include the very specific requirements outlined in the Gramm-Leach-Bliley Act (15 U.S. Code 6801) and NIST SP 800-171? When was the last time your institution performed and a thorough IT risk assessment (one that meets the NIST SP 800-171 standards)? Have proper remediation tasks been completed for any deficiencies that have been identified? If you cannot answer “Yes” with 100% confidence to all these questions, it is time to take action, before your institution faces substantial negative impacts.

For assistance in reviewing and determining is your institution’s cybersecurity position, specifically as it relates to compliance with DOE standards, contact Jason Miller at 859-425-7626 or jmiller@ddaftech.com.

Dean Dorton Technology provides specialized cybersecurity services, specific to the unique requirements and challenges of higher education institutions. Our team of IT auditors has an elite background of audit experience combined with practical IT administration and will evaluate information system control environments, identify the risks, provide a basis for reliance on the system, and deliver cost-effective control recommendations for your organization.

Article Dean Dorton

As a result of FASB’s project to enhance the usability of Not-for-Profit (NFP) entities financial statements and the associated notes to those financial statements, FASB released ASU 2016-14, Not-for-Profit Entities (Topic 958): Presentation of Financial Statements of Not-for-Profit Entities.

This update seeks to:

  • Address the complexity of the three net asset classes
  • Improve transparency in relation to liquidity issues
  • Create consistent guidelines for the presentation and disclosure of expenses
  • Simplify the statement of cash flow presentation requirements.

The current net asset classifications have been eliminated and replaced by two new classes:

Investment returns will now be presented net of expenses and the requirement to disclose those netted expenses has been eliminated. NFP entities using the direct method cash flow statements are no longer required to reconcile the direct method to the indirect method. For gifts received to acquire or build long-lived assets, entities will now be required to use the “Placed-in-Service” method to report the expiration of gift restrictions and will need to reclassify any such amounts for assets previously placed in service. The new guidelines require NFPs to present both the natural and functional classification of expenses in the same location.

Additional disclosure requirements are as follows:

  1. Disclosure of the amounts and purposes of self-imposed restrictions or limitations on assets without donor imposed restrictions.
  2. Disclosures of the composition of donor restricted net assets and how those restrictions affect their use.
  3. Qualitative information on management’s plan to meet the entity’s cash flow needs for the next twelve months as well as the availability of the assets that will be used to meet those needs.
  4. Disclosure of the methodology used to allocate expenses between program and support functions.
  5. Underwater endowment funds will now require increased disclosure requirements relating to the entity’s policies and actions taken concerning appropriation of such funds, the fair value of the funds, original gift amount to be maintained and the aggregate deficiencies of the funds, which are to be classified as part of net assets with donor restrictions.

Nonprofit organizations that will be affected include charities, foundations, colleges and universities, healthcare providers, religious organizations, trade associations, and cultural institutions, among others.

These changes will be effective for annual statements with fiscal years beginning after December 15, 2017 and for interim periods with fiscal years beginning after December 15, 2018. The amendment is to be applied on a retrospective basis; however, entities presenting comparative statements have the option to omit the increased requirements surrounding the analysis of expenses and liquidity and availability of resources for the period presented prior to adoption.

Authored by Tom Smither, Supervisor of Assurance Services.

For additional information, please contact your Dean Dorton advisor or:
Crissy Fiscus, cfiscus@deandorton.com
David Richard, drichard@deandorton.com