University

Article Dean Dorton

The five year wait is finally over. In 2014 the Department of Education (ED) issued a Dear Colleague Letter notifying Colleges and Universities they would need to be compliant with data safeguard rules applicable to the Gramm-Leach-Bliley Act (GLBA). The 2019 OMB Compliance Supplement was released July 1, 2019 and it does include new GLBA Data Safeguard requirements.

What is GLBA & How Does it Affect Higher Education?

In order to operate successfully, colleges and universities must acquire and maintain an incredible amount of sensitive student personal and financial information. So it is vital — and incumbent upon those institutions — to keep this information safe and well protected at all times.

The Gramm-Leach-Bliley Act (GLBA) is in place to address a variety of consumer financial privacy concerns, including those related to the transfer and safety of personal and financial information of college students.

Enacted in 1999, GLBA is a regulation under the Federal Trade Commission (FTC) that requires financial institutions to be transparent about information sharing practices and to safeguard sensitive information. Also called the Financial Services Modernization Act of 1999, the purpose of the GLBA was to allow consumers to take advantage of the benefits of financial mergers while maintaining the integrity and security of banking and financial systems.

It’s important to note that GLBA only applies to Colleges and Universities under Title IV due to the administration of student financial aid programs. Also, it is effective for Colleges and Universities with fiscal year ends ending June 30, 2019 or later.

While we have had plenty of time to plan for GLBA and pour over the guidance issued since 2014, the guidance was not very specific. We were not entirely sure what to expect. The 2019 Compliance Supplement does not contain all the GLBA Safeguards Rule elements, but only a subset. Will more come? Is the plan to phase additional requirements in each year? Will these be all we see? The answers are, “We do not know at this point,” and no guidance has been provided yet on future plans. Either way, the good news is the first year requirements are less stringent than they could have been.

So what are the rules? They are summarized in the following three audit procedures:

  1. Verify that the institution has designated an individual to coordinate the information security program.
  2. Verify that the institution has performed a risk assessment that addresses the following three required areas.
    • Employee training and management;
    • Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
    • Detecting, preventing and responding to attacks, intrusions, or other systems failures
  1. Verify that the institution has documented a safeguard for each risk identified.

How to Stay Compliant with the Safeguards Rule?

The Safeguards Rule makes it imperative for higher education institutions to create and maintain an information security plan that follows certain parameters to adequately protect customer information. GLBA Safeguards Rule requirements for colleges and universities include:

  • Development of a written plan that describes their program to protect customer information, and must be suitable for the institution’s size and complexity, and sufficient for the nature of the activities and sensitivity of the information involved.
  • One or more employees to be designated to (and will be responsible for) coordinating the safety program.
  • A method to identify and assess current risks to customer information in each relevant area of the informational system, and evaluate the effectiveness of the way these risks are currently controlled.
  • Safeguards for potential risks must be set in place and routinely tested and monitored.
  • Service providers must be qualified to maintain appropriate safeguards.
  • Evaluations and adjustments when relevant situations arise, like changes in business operations or results of security testing.

These regulations are designed to provide the flexibility colleges and universities need to create security programs based on the institution’s unique size, scope, and context. For any information security plan to work effectively, all employees should be aware of the policy and how it works, and it’s recommended that frequent reminders be posted to help employees recall the requirements and understand the legal ramifications of failure to comply.

Risks of Non-Compliance

As cyberattacks continue to become more sophisticated, devious, and frequent, colleges and universities are becoming prime targets of hackers and ransomware. As they will continue to experience the consequences of major computer system breaches, the U.S. Department of Education (ED) has emphasized the importance of colleges and universities taking appropriate measures to protect sensitive data. 

Failure to maintain compliance with FTC regulations can lead to serious consequences, including fines and public reports that make institutions in question far less attractive to incoming students. Perhaps most importantly, colleges and universities that suffer cybersecurity breaches are at risk of restricted or complete loss of Title IV funding, making them ineligible to participate in federally funded financial aid programs. 

3 Tips for Higher Education Institutions to Maintain GLBA Compliance

To provide peace of mind for parents, students, and the institutions themselves, certain precautions can be taken to make it easier to follow GLBA standards. These include:

1. Take Special Precautions When Hiring New Employees 

Check references and backgrounds for those who will be responsible for sensitive information, limit access to sensitive information, and require strong passwords that must be changed routinely.

2. Routinely Remind Employees of Important Information Safety Policies and Disciplinary Actions

Policies should be shared with employees and posted where they can be easily accessed, with reminders about specific disciplinary measures for all policies.

3. Maintain a Strong Working Relationship With Your Software Developers

Monitor the websites of your software vendors for recent information about emerging threats, check with vendors for patches that reveal vulnerabilities, and use antivirus and spyware programs that update automatically and maintain up-to-date firewalls.

Dean Dorton’s IT Audit and Cybersecurity Assessment team specialize in providing IT risk assessments and audits to help keep colleges and universities compliant with the new GLBA Data Safeguard requirements. Is your institution too small to hire an information security officer? We understand the budget constraints on today’s colleges and universities and can provide team members to be your institution’s information security officer and consulting around hiring and coordinating your information security program.

Article Dean Dorton

Event Recap

Friday, March 23 marked a day of dynamic discussions in the local and regional higher education industry at our fourth annual Higher Education Training Day: Current Issues and Trends. Topics throughout the day covered everything from new accounting standard implementation to risk management and cybersecurity. We hope this overview of the day provides some insight into common areas of interest within the higher education community.

Institutional Planning and Budgeting

Jacalyn Askin, Senior Fellow for Finance and Campus Management at the National Association of College and University Business Officers (NACUBO), spoke on NACUBO’s economic models project (EMP). EMP’s is to provide NACUBO members with a comprehensive tool that provides a foundation for productive and effective institutional conversations. The EMP has four focus areas: mission, structures, strengths, and resources.

An institution’s mission should not simply be a mission statement, but rather encompass why an institution exists. The statement should be “mission centric, but market smart.” The structures of an institution should also be analyzed. Structures may need to be altered to allow for collaborations, new leadership models, and partnerships as a means to share resources.

Institutions should also focus on playing to its strengths. Adapt curriculum to the strengths and focus on the core of the institution’s existence. Lastly, utilize resources effectively. Align and redefine resources by prioritizing deployment of the resources, leverage old resources, consider new pricing strategies, and ensure that data being used becomes predictive, rather than only informative. NACUBO has provided an online tool to help you work through the EMP for your own institution: https://emp.nacubo.org/.

New DOE Information Security Requirements

Jason Miller, Director of Technology Consulting at Dean Dorton, explained that the Department of Education (DOE) is making a significant push for colleges and universities to take information security more seriously. In 2015 and in 2016, the DOE sent Dear Colleague Letters to provide higher education institutions with gentle reminders that any school participating in the Title IV federal student financial aid program is legally obligated to protect information. Specifically, they reminded us that participating in federal aid programs attaches a requirement to comply with the Gramm-Leach-Bliley Act (GLBA). GLBA was originally focused on financial institutions; therefore, many institutions try to ignore their GLBA compliance requirements.

The time has come that institutions can no longer ignore this requirement. DOE has requested that GLBA compliance become part of the annual federal student aid (FSA) audits. They have requested the Office of Management and Budget (OMB) to add an audit objective for GLBA to the FY18 compliance supplement. We are unsure if OMB will add this for FY18, but we expect that it will be added by FY19.

What does this mean for you and your institution?

  • Have you developed and deployed a comprehensive information security program?
  • Have you designated an individual to coordinate the information security program?
  • Have you conducted an annual risk assessment that includes the requirements of 16 CFR 314.4 (b)?
    • Employee training and management;
    • Information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and
    • Detecting, preventing and responding to attacks, intrusions, or other systems failures
  • Have you documented the safeguards and remediation actions for any risks identified in the annual assessment?
  • Do you have plans in place for continual monitoring, response, and improvement for your information security program?
  • Do you have a breach response plan in place that ensures compliance with DOE’s notification requirements?

These items are likely to be become required documentation points of the FSA audit. Do you have processes in place that can provide auditable evidence that your institution is in compliance?

Another important aspect of DOE’s new focus on information security is their breach notification requirements. We encourage all institutions to review these carefully and ensure they are incorporated into your comprehensive breach response plans. Some highlights to be aware of include:

  • Under GLBA, a breach is defined as “any unauthorized disclosure, misuse, alteration, destruction or other compromise of information.”
  • There are no minimum record sizes defined for triggering reporting requirements.
  • Requirements are NOT limited to electronic data; paper counts too.
  • Title IV schools are required to notify DOE on the day of detection, even if a breach is only suspected.
  • The penalty for not complying with breach notification requirements is $54,789 per violation.
  • To report a breach, email cpssaig@ed.gov or call 202.245.6550. The following elements are required in the notification:
    • Date of breach (suspected or known)
    • Impact of breach (number of records, etc.)
    • Method of breach (hack, accidental disclosure, etc.)
    • Information security program point of contact: email and phone details
    • Remediation status (complete, in process): with details and next steps (as needed)

Do not allow yourself to be caught off guard. The time to act is now. If you need help evaluating your GLBA compliance maturity, Dean Dorton has team that can help. Contact Jason Miller at jmiller@ddaftech.com or 859.425.7626.

Internal Audit: Maximizing Its Potential

Lance Mann, Director of Assurance Services at Dean Dorton, explained that internal audit is an important risk management tool that should be utilized by all higher education institutions. Some institutions have internal resources that perform this role and others have outsourced this role; in either situation, the internal audit process is very similar when executed effectively.

An effective internal audit function starts with an annual risk assessment. The risk assessment should include an industry trend analysis, compliance related items in the industry, industry news, and institution-specific information such as board meeting minutes, budgets, and financial statements audit results. The risk assessment should also include interviews of key personnel from every corner of the institution. The interviews should be targeted at understanding the risks within that area or department, and should include individuals including the president, board members, department chairs, and individuals within the finance office, registrar office, athletics, clubs, food services, housing, academic departments, health departments, security, facilities, and parking. In essence, these interviews should encompass everything that makes the institution operate.

After completing your risk assessment, you should now have a risk population that you can evaluate to develop your internal audit plan for the year. Your internal audit plan should take in to account the highest risks and your resources. However, you may have high-risk items in which you may lack the internal expertise to adequately perform the audit work. You can always look at finding other resources on campus to help with this part of the audit or find external resources to outsource this part of your plan.

Due to their specific technical needs, three commonly outsourced areas within internal audit are technology, human resources, and federal student aid.

As you develop and execute your plan, it is important to keep the board of directors in the loop. Your annual plan should be approved by the board or audit committee, and you should regularly report to them on your audit results. You should also have a direct line of communication to the board. This is one of the most important aspects of internal audit’s ability to remain independent of management.

Having an effective internal audit function requires a significant amount of planning and preparation. It is important to perform a skills inventory to understand your internal skill sets and where you may need to find external assistance. Effective internal audit departments help institutions reduce their susceptibility to loss due to fraud or error, and help organizations remain compliant with laws and regulations. Internal audit departments should be an important part of every higher education team.

Contact Lance Mann at lmann@deandorton.com or 502.566.1005.Endowment Management

Kelso Morrill, Managing Director at Commonfund, and Chris Miceika, Director of Multi-Asset Solutions at Commonfund, explained that in order to retain inter-generational equity for endowments, the endowment growth rate should be benchmarked at an annual rate of 5% greater than the consumer price index (CPI).

While endowments have performed well and exceeded the benchmark over the past year, their three- and 10-year performances have lagged. To have a better chance at achieving the benchmark, endowments should favor equities over other investment types, be highly diversified, and be actively managed. Endowments should also allocate more to alternative, illiquid investments such as hedge funds. This difficulty in maintaining the benchmark from year to year affects an entity’s ability to maintain its endowment spend rate, which has averaged between 4% and 4.5% over the past 10 years.

More Students, More Graduates, Better Outcomes

John Anderson, Senior Vice President of Partnership Management at The Learning House, discussed important trends in higher education and items to consider when evaluating these trends and how they may impact your institution.

Important trends include:

  1. Declining student enrollment
  2. Increasing discount rates
  3. Growing enrollment in online programs
  4. Convenience and price
  5. New and growing competition

Items to consider:

  1. Are you focusing on the “student first” mentality?
  2. What types of programs are you offering? Do these programs align with your brand? Are they what the students want? How likely are these programs to lead to employment?
  3. Are you priced competitively?
  4. How are you planning to reduce costs for students?
  5. How is your brand being portrayed in the market? Is your brand message clear, concise and differentiated?

The Learning House partners with colleges and universities to develop online programs to help students and institutions achieve their mission. With the use of online program management services and a university scorecard, The Learning House is focused on helping institutions determine where they are today with adult learners and what the best practices are in order to offer the best programs possible.

FASB/GASB Breakout Sessions

David Richard, Director of Assurance Services at Dean Dorton, presented the FASB breakout session. He discussed how institutions should go about the implementation of three new accounting standards updates (ASUs) that will be relevant to private colleges and universities:

  • ASU No. 2015-14, Revenue from Contracts with Customers
  • ASU No. 2016-02, Leases
  • ASU No. 2016-14, Presentation of Financial Statements of Not-for-Profit Entities

Contact David Richard at drichard@deandorton.com or 859.425.7662.

Simon Keemer, Director of Assurance Services at Dean Dorton, provided the GASB breakout attendees with an update on GASB statements that will be effective in the next few years, concentrating on the impact of GASB 75 for Other Post-Employment Benefits (OPEB). GASB Statement No. 75 will be effective for entities commencing with June 30, 2018 year ends. He also discussed current GASB projects, paying particular attention to the GASB project to re-examine the reporting model.

Contact Simon Keemer at skeemer@deandorton.com or 502.566.1036.Admissions and the Business Office

Scott McDonald, Dean of Undergraduate Admission at the University of Kentucky, discussed the role of the business office function in admissions.

One of the main points to consider in the operation of an institution of higher education is to constantly evaluate the underlying assumptions on the practices of the college or university. Assumptions to evaluate could include the assumed market power of the institution brand and name, that the hindrance of tuition cost can be overcome with increasing institutional aid, and that the competition is sticking to the same known strategies that they always have. These assumptions may or may not be valid in the current changing landscape of higher education, so it is important to challenge them and integrate learned lessons into future strategies.

As mentioned, this becomes more important in the ever-changing environment of the college and university industry. Challenges such as a decreasing number of high school graduates in areas of Kentucky, the increasing cost of attendance, budget cuts, and competitors finding ways to differentiate themselves could become a threat to the success of an institution if not monitored.

As colleges and universities navigate these industry-wide concerns, focusing on important variables such as the items listed below could help foster a strategy of success:

  1. Quality of academic programs
  2. Composition of the current and incoming classes of students (residency, diversity, etc.)
  3. Potential to focus on signature, high quality programs and potentially discontinue ineffective programs
  4. Analysis of the markets, target populations, and the statistics and activities of competitors
  5. Unmet financial need

Student Financial Aid

Megan Crane, Manager of Assurance Services at Dean Dorton, covered general updates, program reviews and top findings, the Gramm-Leach-Bliley Act (GLBA), and available trainings.

For general updates, Megan noted that the Perkins loan program is ending and Pell funding levels are staying flat, which means that students will have a bigger gap to fill in order to fund their education. Although total Pell and prescribed Pell award caps are staying flat, Pell can now be awarded year-round (i.e. for summer) so that students have more flexibility in using their aid. State funding is also decreasing for public institutions and the aid for private institutions’ students have not increased in a number of years.

Megan also discussed program reviews and top program and audit findings. The Department of Education takes a risk-based approach to determine who should be flagged for a program review. This can include input from other accrediting agencies or organizations, high default rates, whistleblowers, and student complaints. Program reviews focus on two main areas: institutional processes and data and student level information. The most notable item is that program reviews encompass multiple offices across campus who are all responsible for overall compliance with the various requirements. After a program review or audit, there are issued findings. A finding in and of itself is not necessarily a red flag; however, repeat findings—where an institution has not worked to correct an issue—are significant.

The Gramm-Leal-Bliley Act (GLBA) was discussed in full during a different session; however, it is important to note that the requirements under GLBA will fall within the single audit by 2019, if not before.

Megan discussed how each institution is staying informed and up-to-date on current federal student aid (FSA) issues. Are your FSA team members attending annual training? Additionally, each institution should consider if non-FSA team members should attend FSA-specific trainings. If an accounting team member handles all of the G5 drawdowns, reconciliations, and other financial duties related to FSA, it could be beneficial for them to attend specific training on these areas. The annual FSA (Federal Student Aid) conference is free to attend. The 2018 conference will be held in Atlanta on November 27-30, 2018.

Lastly, we know that compliance is complex and takes a team effort. Work together across campus to create an environment of compliance. We are happy to assist in any way we can.

Contact Megan Crane at mcrane@deandorton.com or 859.425.7643.Tax Reform Update

Allison Carter, Manager of Tax Services at Dean Dorton, covered the ins and outs of the Tax Cuts and Jobs Act (TCJA) and its implications for colleges and universities. Items covered included:

  • Bonds: The TCJA repealed the exclusion from income of interest on advanced refunding bonds and tax credit bonds. It also preserved private activity bonds, like 501(c)(3) bonds.
  • Separately compute unrelated business income tax (UBIT): The TCJA requires tax-exempt organizations to calculate UBIT separately for each trade or business, which prohibits deductions from one business from offsetting income derived from another business. It also allowed net operating losses from prior years to continue to be available to offset income, regardless of the source of the loss.
  • Increase unrelated business taxable income (UBTI) by certain fringe benefits: UBTI includes any expenses paid or incurred by a tax-exempt organization for qualified transportation benefits, a parking facility used in connection with qualified parking, or any on-premises athletic facility.
  • Excise tax on private colleges and universities: The TCJA imposed an excise tax of 1.4% of net investment income each taxable year on “applicable educational institutions.”
  • Excise tax on excess compensation in excess of $1 million: The TCJA imposed an excise tax of 21% on remuneration in excess of $1 million with respect to employment of a covered employee of an “applicable tax-exempt organization.”

Contact Allison Carter at alcarter@deandorton.com or 859.425.7645.

Article Dean Dorton

We had an excellent day of collaboration and learning at our Higher Education: Current Issues and Trends event held at Northern Kentucky University on March 23, 2017. Topics throughout the day covered everything from new accounting standard implementation to risk management and cybersecurity. We hope this overview of the day provides some insight into common areas of interest within the higher education community.

Higher Education Issues and Challenges with Practical Solutions

Presented by: Dr. Kenneth L. Hoyt, Ph.D., The Higher Education Practice, LLC

Dr. Hoyt’s presentation, “Higher Education Issues and Challenges with Practical Solutions,” focused on identifying the top issues that face public and private institutions in our region. Attendees were asked to come to the front of the room and identify the issues and challenges they consider most significant in the current higher education landscape, regardless of whether they were from a private or public institution. Through this exercise it was quickly noticeable that private and public institutions face many of the same issues and challenges. Click here for more details.

Among the most significant issues that were discussed were:

  • Student retention and enrollment management: This was identified as a key factor of success for all institutions. The attendees nearly unanimously agreed that this was one of the biggest issues facing public and private institutions. Attracting the right students and keeping them engaged for the entire life of a program of study is one of the best ways to secure an adequate revenue stream.
  • Access versus tuition discounting and the cost of education: Controlling the price of tuition was a significant hurdle discussed for all institutions. However, private institutions ranked this particularly high. All institutions strike a delicate balance between discounting tuition enough to ensure access for students that may not otherwise be able to attend, while at the same time having adequate revenue to cover the costs of education.
  • Endowment management and resource allocation: For private institutions, fighting the pressures of keeping tuition affordable, proper management of investments within the endowment, and use of funds become more important.
  • Speed of making decisions: Participating universities mostly agreed that the speed of making decisions was a hurdle for their organizations as they attempt to react to the swiftly changing environment of higher education.
  • Facilities upgrades: It seems that the war is on to compete for students by upgrading facilities to be state of the art. Schools are getting creative to find ways to fund new facilities and those that can’t are finding it harder to attract students.

The event attendees also discussed ideas to help institutions figure out how to be more successful. They explored the concept of ensuring that the strongest programs with the best retention and least cost were given more focus than any programs with lower retention and higher cost. Focusing organizational resources on the lower-cost, more successful programs is a great way to increase retention and help ease the challenge of enrollment management.

Dr. Hoyt has helped a large number of institutions identify which programs are working and which are using more resources than they might be worth. Key indicators include the number of program inquiries, percentage of applications, graduation rate of the program, cost per student, and geographic demand measure, among many other items.

Ultimately, the income of an institution is greatly benefited by improving graduation and retention rates and focusing on programs central to the mission of the institution that also provide the best student engagement.

Dean Dorton Publication: State of Higher Education in KentuckyLegal Issues Update

Presented by: Jim Newberry, Steptoe & Johnson

As they say, there is an elephant in the room — the Trump administration. Many current hot higher education legal topics include:

  • Title IX
  • Legal Issues Generated by Financial Distress
  • Rapidly Evolving Compliance Environment
  • Unions/Employment Issues
  • Free Speech v. Hostile Environment
  • Cybersecurity Threats
  • Risk Management
  • Emotional Support Animals
  • Concealed Carry Laws
  • Emergency Management Obligations

The best way to manage these hot topics and others are to stay informed and be proactive. Consider utilizing legal audits for campus-wide issues and selected areas of concern. Identifying levels of contract materiality for involving counsel and employing effective risk management techniques can also help ensure your institution is staying up-to-date with regulations.

Many institutions are working toward more combined approaches such as purchasing services collaboratively with other institutions, creating geographic alliances, or substantive issue alliances. Last but not least, when in doubt, insure against significant risks when possible.

HR Issues, Risks, and Best Practices

Presented by: Jeff Ricketts, Dean Dorton

Higher education is not immune to its own set of human resources challenges. Some of the top noted HR challenges among institutions include:

  • Compensation and Benefits: As the largest expenditure for institutions, encompassing roughly 60% of total operating budgets, they have the daunting task of reducing labor costs and managing benefit cost increases. To accomplish this, HR departments have to review hiring practices, be creative with and carefully review benefit renewals, and be constituents with leadership to strategically address these issues.
  • Staff vs. Faculty: The separation of staff and faculty, and faculty among multiple departments, can lead to morale issues and concerns on campus. HR has the role to be ambassadors for fair treatment, bringing all staff and faculty together, by evaluating policies that separate the two parties, develop committees to bring all parties together and to publically promote the successes of both groups.
  • Succession Planning: An item facing a wide array of organizations, with the baby boomers retirement, is succession planning. The transfer of institutional knowledge can be vast depending on the level of position and tenure with the institution. HR has the opportunity to develop policies and procedures, especially through performance management, to lead their institutions through the succession planning process.

Regulatory changes and updates are also impacting HR departments across the country. And with DOL audits on the rise, organizations need to be proactive in their compliance approach. HR departments need to conduct annual audits of their HR functions, carefully reviewing compliance, processes and procedures.

Accounting Update

Presented by: David Richard, Dean Dorton

David reviewed the changes to nonprofit accounting and reporting that will be brought about by the recently issued ASU 2016-14, Not-For-Profit Entities (Topic 958): Presentation of Financial Statements for Not-For-Profit Entities. The Financial Accounting Standards Board issued this statement as a result of their efforts to enhance the usability of not-for-profit entity financial statements.

The update seeks to:

  • Address the complexity of the three net asset classes
  • Improve transparency in the relation to liquidity issues
  • Create consistent guidelines for the presentation and disclosure of expenses
  • Simplify the statement of cash flow presentation requirements

Read the full description of the changes required by the ASU.

Risk Management: Financial Fraud, Cybersecurity Update, and Panel Discussion

Presented by: Elizabeth Woodward and Jason Miller, Dean Dorton; Jacob Rhode, Kearting Meuthing & Klekamp PLLC

Cybersecurity

Cybersecurity is our new reality. Cyber threats grow in volume and sophistication every day. It is no longer just an IT responsibility. It is the responsibility of everyone in a leadership role. It is up to all users to become more aware and help avoid exposing the organization to a potential attacker.

The Department of Education continues to warn colleges and universities of their legal obligation to protect student data. Letters from the DOE have gone out the past two Julys. They point out the requirements apply to both public and private institutions.

Reviewing the annual Verizon Data Breach Incident Report (DBIR) can help you stay up to date on the latest threats and risks in cybersecurity. Key points from the 2016 DBIR:

  • User Awareness is a critical point for organizations to focus on helping reduce risks in areas classified as Crimeware, Miscellaneous errors, Physical theft and loss, and Insider and privilege misuse. Attackers are constantly targeting users with more and more sophisticated phishing attacks. We need to challenge our users to be more alert and skeptical.
  • Top threats (breaches) for 2016 in the Education sector were:
    • Web Application Attacks (30%)
    • Miscellaneous errors (17%)
    • Stolen assets (17%)
  • Multi-factor Authentication is a critical additional line of defense. Even if user’s passwords are compromised, outside threats would be stopped by the required secondary authentication.
  • Continual Risk Management is critical to keep your organization’s cybersecurity current and effective.

Are you actively engaging with your IT resources to ensure your institution is actively considering risks and continually improving your security posture to mitigate those risks?

 

Financial Fraud in Colleges and Universities

It is a new day for administrators of colleges and universities. On many campuses, the historical atmosphere of openness and collegiality has been replaced with the fear of budget cuts and lost jobs. This shift creates an important warning for financial professionals charged with preventing and detecting fraud – the decline in resources creates financial pressure; the personal disappointment and frustration with institutional pressures can encourage rationalization (“It’s ok for me to inflate this expense report, the University owes me.”)

In order to combat these effects (two prongs of the “Fraud Triangle”), college and universities need to focus on strong internal controls, to insure potential fraudsters do not have the “opportunity” (third prong of the Fraud Triangle) to steal.

Some factors to be aware of when considering internal controls for colleges and universities include:

  • Decentralized control environments can lead to lack of segregation of duties and independent oversight
  • Personnel with relatively low-compensation may have autonomy over high-dollar contracts
  • Faculty members’ involvement in businesses outside the University increases risk of conflict of interest
  • Funding sources are inherently complex, with different reporting requirements and rules
  • Boards and high level management may lack financial sophistication
  • Faculty and staff may have access to various forms of expense reimbursement, from various sources

In addition to periodic re-evaluation of internal controls, colleges and universities should remember that a strong ethical tone (which begins at the top of the organization) is the cornerstone of its environment.Student Financial Aid Update and Reminders

Presented by: Crissy Fiscus and Megan Crane, Dean Dorton

Federal student financial aid (FSA) compliance remains a significant risk area for all institutions as the Department of Education (DOE) has increased the number of program reviews in recent years and the penalties seem to be increasingly harsh. Two schools in Kentucky have closed their doors in recent years after having a DOE program review that resulted in severe findings and ended with the school being placed on HCM2. The board and management of all institutions need to be made aware of the risks of noncompliance with FSA requirements and develop a system of monitoring compliance. Maintaining FSA compliance is a campus-wide responsibility; however the President’s Office, the Student Financial Aid Office and the Business Office carry the majority of the responsibility for maintaining compliance. Best practices for each of those offices were discussed and a few are listed below:

  • Develop a relationship with representatives from the DOE office in your region – go visit them if you have to.
  • Hire a Director of Student Financial Aid (SFA Director) that understands the compliance requirements and will actively communicate those requirements to other departments across campus.
  • The SFA Director should be included in all discussions about new programs, new locations, etc.
  • Review the list of top 10 audit and program review findings annually.
  • Invest in training for SFA staff annually.
  • Engage an auditor that understands student financial aid.
  • Utilize internal audit to aid in FSA compliance (if you have internal audit).

Article Dean Dorton

The United States Department of Education (DOE) has sent friendly notices for two years in a row reminding colleges and universities of their requirement to comply with the strict guidelines for protecting student financial aid information. Cybersecurity should be near the top of every organization’s priority list, but for higher education institutions it should be elevated even further. Given that the DOE has provided two warnings to date, we should assume they plan to take a stricter stance on cybersecurity infrastructure, protection, and controls during compliance audits.

Cybersecurity: A Critical Boardroom Topic

Many organizations quickly punt the topic of cybersecurity to the IT department. While IT plays a huge role in cybersecurity, it is the responsibility of those charged with organization governance to ensure compliance is met. Board members and senior leadership should be asking the questions and confirming that the institution is devoting the proper resources and attention to cybersecurity.

  • It is also critical to understand that cybersecurity is not a one-time project. It is a continual evolution and initiative.
  • Leadership needs to also recognize there can be substantial costs associated with cybersecurity activities and they are not optional. The DOE letter makes this point very clear when they state “The Department understands the investment and effort required by institutions to meet and maintain the security standards established in NIST SP 800-171. Nonetheless, across the public and private sectors, it is imperative that organizations continue to enhance cybersecurity in order to meet evolving threats to controlled unclassified information and challenges to the security of such organizations.”

With the ongoing focus on higher education institution’s bottom lines, it might be tempting to defer projects related to cybersecurity to reduce budgets. However, doing so could put your institution in a position where the DOE finds your organization in noncompliance with your Program Participation Agreement (PPA) with Title IV student financial aid. Cutting corners on cybersecurity compliance could wind up costing your institution more in the long run.

The Time to Act is Now

At this point, most organizations have some form of information security or cybersecurity policies in place, but do yours include the very specific requirements outlined in the Gramm-Leach-Bliley Act (15 U.S. Code 6801) and NIST SP 800-171? When was the last time your institution performed and a thorough IT risk assessment (one that meets the NIST SP 800-171 standards)? Have proper remediation tasks been completed for any deficiencies that have been identified? If you cannot answer “Yes” with 100% confidence to all these questions, it is time to take action, before your institution faces substantial negative impacts.

For assistance in reviewing and determining is your institution’s cybersecurity position, specifically as it relates to compliance with DOE standards, contact Jason Miller at 859-425-7626 or jmiller@ddaftech.com.

Dean Dorton Technology provides specialized cybersecurity services, specific to the unique requirements and challenges of higher education institutions. Our team of IT auditors has an elite background of audit experience combined with practical IT administration and will evaluate information system control environments, identify the risks, provide a basis for reliance on the system, and deliver cost-effective control recommendations for your organization.

Article Dean Dorton

The IRS is placing increased scrutiny on the use of tax exempt bonds by 501(c)(3) organizations. Since interest earned on the revenue bonds issued by state and local governmental organizations is exempt from federal income taxation, bonds are subject to compliance with federal tax law requirements.

One important requirement under the Internal Revenue Code is that not more than 5% (or 10% in the case of a governmental unit) of the net proceeds of the bonds, before issuance costs, may be used for private business use.

Private business use means the use of the bond financed facility, both actual or beneficial use, by a person other than a 501(c)(3) organization or a state or local government or by a 501(c)(3) in an activity that is an unrelated trade or business.

If the property is used both for a related purpose and an unrelated purpose, the property is still considered used in a private use, but the private business use may be allocated. If the organization fails the private use test, then the interest on the bonds can become taxable.

It is common for private business use to arise in connection with management and rental contracts at colleges and universities with management of cafeterias, concession stands, bookstores, retail facilities, parking garages, summer camps, other rental activities, or research contracts. If you have contracts with these types of activities, it is recommended that you review the contracts and make sure they meet an exclusion or the safe harbor requirements under the Code based on your facts and circumstances. The Code does provide for exceptions to private business use, such as use by the general public, incidental use, and short term use, but you must meet the requirements under each exception.

If you would like more information on private business use or help with review of your current or potential contracts, please contact your Dean Dorton advisor or Allison Carter at alcarter@deandorton.com.

Article Dean Dorton

By: Crissy Fiscus

ITT Technical Institute is the latest school to close its doors after significant sanctions were placed upon the institution by the Department of Education (ED). ITT received a letter from the Department of Education on August 25, 2016 that outlined the sanctions including:

  • Increasing the line of credit to 40% Title IV funds received by the institution during its most recently completed fiscal year
  • Changing the method of payment to Heightened Cash Monitoring 2 (HCM2)
  • Notification and communication with the ED within 10 days of specifically identified financial and oversight events
  • Additional reporting requirements that required the school to provide information about operations, finances, and future plans
  • Additional operational requirements, which included that the school could not enroll new students that may receive federal student financial aid funds.

On September 5, 2016, just 11 days later, ITT announced that it would close its doors.

In reading the August 25, 2016 letter from the ED to ITT, I noticed that the very first sentence referenced prior communications from the ED from more than two years ago. In August 2014 ITT was cited by the ED for it late submission of annual compliance audited financial statements. As a result of this financial responsibility failure, ITT was permitted to continue participating in the Title IV program under a Provisional Program Participation Agreement for three award years. The letter went on to say that since August 2014 the ED had been actively monitoring ITT’s ongoing operations and finances.

Then in April 2016, the ED received notice from the Accrediting Council for Independent Colleges and Schools (ACICS) that ACICS had issued a directive to ITT asking the institution to prove why its accreditation should not be withdrawn. According to the ACICS Accreditation Criteria, this type of directive is issued when the Council determines that an institution is not in compliance, and is unlikely to become in compliance with the accreditation criteria. After much communication, including a hearing, another directive was issued by ACICS in August 2016, which continued to question ITT’s compliance with several accreditation standards:

  • Minimum eligibility requirements for compliance with all applicable laws and regulations
  • Requirements for student achievement, as measured by retention, placement, and licensure passage rate
  • Institutional integrity, a manifest in the efficiency and effectiveness of its overall administration of the institution
  • Financial stability, including having adequate revenues and assets to meet its responsibilities
  • Administrative capability, including overall management and record-keeping
  • ACICS admissions and recruitment standards
  • Federal and state student financial aid administration requirements

You will notice that I have bolded/highlighted several words throughout this article. Those words have very important meaning in the world of student financial aid, as they are the most common reasons the ED may place a school on a method of payment known as HCM1 or HCM2 (Heightened Cash Monitoring 1 or 2).

HCM1 requires the schools to make disbursements to students from its own funds, submit disbursement records to the Common Origination and Disbursement System, and then draw down the SFA funds. HCM1 is much less restrictive than HCM2.

HCM2 requires the school to disburse the money to the students and then submit a request for disbursement to the ED. The ED must approve the request before the funds will be disbursed to the school. Once on HCM2, very few schools survive – the cash flow squeeze is simply too much for them to overcome. I recently examined the list of schools which have been placed on HCM1 or HCM2 by the ED – 428 schools are on HCM1 and 65 schools are on HCM2. I also summarized the main reasons that schools were placed on HCM1 and HCM2:

Summary of top reasons schools are on HCM1:

  • Administrative capability – 17
  • Financial responsibility – 309
  • Audit late/missing – 84
  • Program review – severe findings – 1
  • Accreditation problems – 1
  • Other (CIO problems, eligibility) – 13

Summary of top reasons schools are on HCM2:

  • Administrative capability – 11
  • Financial responsibility – 6
  • Audit late/missing – 8
  • Program review – severe findings – 16
  • Accreditation problems – 12
  • Other (CIO problems, eligibility) –12

Go back and look at those bolded/highlighted words and compare them to the list of the top reasons that schools are placed on HCM1 or HCM2. As you can, see ITT had many of these issues for a period of years – beginning back in 2014, when the late audit captured the attention of the ED.

ITT is clearly not the first school that has closed due to being placed on HCM2 – honestly, very few schools survive that type of cash flow crunch. Compliance with the Department of Education’s requirements is not up to interpretation – it is absolutely required and the rules must be respected by those that wish to continue to award Title IV funds to their students. Understand the rules and create systems to make sure that they are followed. We make it our business to understand these rules and help schools to develop the policies and procedures to stay in compliance.

If your institution is interested in helping the ITT Tech students, the ED posted an electronic announcement with guidance, links, websites, and contact information surrounding the recent ITT closures.

If you would like to discuss further, contact your Dean Dorton advisor or Crissy Fiscus at cfiscus@deandorton.com.