For the 2017 Compliance Supplement Vett Draft, the Office of Management and Budget (OMB) is proposing that the U.S. Department of Education require a new audit objective, Securing Student Information, to test for compliance with rules for securing student information. The proposed Safeguards Rule asks auditors to evaluate information security programs and associated safeguards. Many associations of educational leaders, professionals, and financial officers are concerned with the burdens this proposed requirement presents. Organizations like the National Association of College and University Business Officers (NACUBO), EDUCAUSE, the Council on Governmental Relations (COGR), and the National Association of Student Financial Aid Administrators (NASFAA) reached out to OMB asking that the new objective either be removed pending further discussions and adjustments made with the higher education community, or re-written so that it contains objective criteria and be delayed until the fiscal year (FY) 2018 single audit so that institutions can begin planning for the additional cost that may impact the audit expense.
The audit objective is as follows: Determine whether the Institute of Higher Education (IHE) has developed, implemented, and maintained a comprehensive information security program in accordance with the Safeguards Rule (Compliance Supplement Vett Draft 5-3-53, April 2017). The Safeguards Rule has several requirements within it, including a designated employee to oversee the institution’s information security program, an internal and external customer information risk identification, implementation of risk controls (with regular testing), employee training, and safeguard validations of third-party service providers. This objective now poses new test planning and procedures for the auditor performing the single audit.
Expansive, Too Broad of an Audit Objective
These organizations argue that the new audit objective (as-written) is too broad in scope and lacking in specificity, which makes it challenging for auditors to assess (and opine on compliance) and difficult for higher education institutions to comply with. What is missing, they believe, is objective criteria, so that the varying security programs/plans across higher education institutions can ensure they are adequately meeting the requirements of the proposed audit objective. Under the Safeguards Rule (Gramm-Leach Bliley Act), institutions are allowed discretion in how they conduct risk assessments and develop risk programs. As such, each higher educational institution is afforded the freedom and flexibility to develop a plan that meets their unique needs, mission, operations, and student populations. But the proposed audit objective for Securing Student Information is written in a way that different auditors may come to different conclusions based on the facts of the situation. For example, an auditor’s interpretation of what constitutes a “comprehensive” information security program may differ, and therefore, audit outcomes may differ as well.
Opposing organizations also claim that the broad scope of the proposed audit objective will now force auditors to engage IT audit specialists to address the requirement, which will in turn likely increase the cost of the audit work to the higher education institution. Increased testing requires additional planning and procedural time on the part of the auditor. Concerns existed that these costs will be passed on to the IHE, who likely has not budgeted for an increase in audit cost for fiscal year 2017.
The U.S. Department of Education heard the concerns of the higher education agencies and, at this time, plans to add the cyber requirement to the 2018 supplement. Some key takeaways to know:
Your organization may opt to seek consulting expertise to perform a gap analysis regarding your information security program and the Safeguards Rule. For more information, contact us.