HIGHER EDUCATION

Michael Cosgrove
Principal, CPA, MSA

15 June 2017

The 2017 Compliance Supplement Vett Draft has been
issued to certain key stakeholders and is currently being
edited before it is officially finalized. One of the most
interesting additions to the education community is the
Special Test 14 for Securing Student Information. This
new test has resulted in the following audit objective:

The 2017 Compliance Supplement Vett Draft has been
issued to certain key stakeholders and is currently being
edited before it is officially finalized. One of the most
interesting additions to the education community is the
Special Test 14 for Securing Student Information. This
new test has resulted in the following audit objective:

To determine whether the Institution of Higher Education (“IHE”) has developed, implemented, and maintained a comprehensive information security program in accordance with the Safeguards Rule.  Although many audit firms already perform various tests examining the IT environment, this is the first time that the Office of Management and Budget (“OMB”) has explicitly made reference to it.

Although many audit firms already perform various tests examining the IT environment, this is the first time that the Office of Management and Budget (“OMB”) has explicitly made reference to it.

It is important to recognize that the language used for the audit procedure is fairly ambiguous and the definition of what a “comprehensive information security program” actually is may differ among firms. Also, there may not be enough objective criteria that can be specifically included during testing to ensure that all IHE’s are being audited against the same criteria.

IHEs would be required to provide audit evidence that the program was in place and maintained throughout the year and then an independent 3rd party would need to provide verification. If IHEs are not expecting this requirement to be a part of the audit because it has never been included in the past, then this could result in IHEs not being able to provide audit evidence of the program being in place for the prior year. This may lead to IHEs receiving a disclaimer of opinions from their auditors.

Based on the preliminary information that is available, it appears that this test would likely need to be performed by an IT audit specialist. This could be troublesome for some smaller firms without such capabilities who would then be forced to hire an outside agency to perform these tests. Locating the appropriate individual with the right skill set to perform the necessary testing would also require additional time, which would also drive up the audit costs.

Although there are some important issues still being worked out, IHEs can take some actions now to ensure that they meet future compliance objectives. Each institution should meet with current management and assess its current compliance with cybersecurity and ensure that there is a written information security plan in place. Review the Department of Education recommendation of using the National Institute of Standards and Technology (“NIST”) for best practices. These policies, procedures and controls can be extremely
cumbersome, thereby requiring some IHEs to seek help from outside entities, but they are critical to maintaining an IHE.

Want new articles before they get published?
Subscribe to our Education Advisor Newsletter.