Federal Student Aid - IFAP
   
PublicationDate: 6/1/95
AuditGuideType: Audit Guide for Schools
SectionNumber: I
SectionTitle: Audit Planning and Other Considerations
PageNumbers: 1-14


Audit Guide, 1995
Pages I-1 - I-14

SECTION I

AUDIT PLANNING AND OTHER CONSIDERATIONS


PURPOSE OF GUIDE

This guide is to assist independent auditors (IPAs) in performing
audits of Federal Student Financial Assistance (SFA) programs. This
guide supersedes the Audit Guide, Audits of Student Financial
Assistance Programs (March 1990) and Non-Federal Technical
Bulletin 92-1, and is effective for SFA compliance audits (attestation
engagements) for award years ending June 30, 1995 and thereafter.

The Higher Education Act of 1965, as amended, (HEA) requires
annual financial and compliance audits (34 CFR Part 668.23) of Title
IV HEA programs for all institutions that participate in:

- Federal Family Educational Loan (FFEL),
- Federal Direct Loan Program (FDLP),
- Federal Pell Grant (Pell),
- Federal Perkins Loan,
- Federal Work-Study (FWS), or
- Federal Supplemental Educational Opportunity Grant (FSEOG)
Program.

The HEA requires that these audits be performed in accordance with
the standards for financial audits of the U.S. General Accounting
Office's Government Auditing Standards (1994 Revision), issued by
the Comptroller General of the United States.

SFA audit/attestation objectives are to:

1. Determine and report whether:

- The institution's basic financial statements are fairly presented,
in all material respects, in accordance with generally accepted
accounting principles (GAAP), and

- The institution management's assertions relative to compliance
with specified compliance requirements in Section II of this
guide are fairly stated in all material respects (institutional
eligibility and participation, reporting, student eligibility,
disbursements, refunds, cash management, and, if applicable,
close out examinations).

2. Assist ED in meeting its stewardship responsibilities by ED acting
upon noncompliance and internal control weaknesses noted in the
IPA's reports. The IPA's reports must contain adequate
information to give reported matters perspective and to allow ED
to take necessary corrective action.

IN ADDITION TO THE REQUIRED FINANCIAL STATEMENT
AUDIT, THIS GUIDE REQUIRES AN EXAMINATION-LEVEL
ATTESTATION ENGAGEMENT RELATIVE TO THE
INSTITUTION MANAGEMENT'S ASSERTIONS ABOUT
CERTAIN COMPLIANCE ASPECTS RELATED TO SFA
PROGRAM PARTICIPATION. THEREFORE, IN ADDITION TO
APPLICABLE STANDARDS CONTAINED IN THE
GOVERNMENT AUDITING STANDARDS, THE STATEMENT
ON STANDARDS FOR ATTESTATION ENGAGEMENTS
(SSAE) NO. 3, COMPLIANCE ATTESTATION, ISSUED BY THE
AMERICAN INSTITUTE OF CERTIFIED PUBLIC
ACCOUNTANTS (AICPA) ALSO APPLIES.

This guide is to be used by all institutions which administer SFA
funds, with two exceptions:

- Public colleges and State and local universities audited in
accordance with the Single Audit Act and OMB Circular A-128,
and

- Institutions of higher education and other nonprofit institutions
audited in accordance with OMB Circular A-133. Organizations
whose only funding is SFA may elect to have an SFA audit in
accordance with this guide.

This guide is divided into three sections:

Section I Provides general information about engagement planning
and other considerations.

Section II Identifies the compliance requirements and management's
assertions that must be reported on by the IPA.

Section III Provides the reporting requirements and illustrative
reports.

This guide is not intended to be a complete manual of procedures,
nor is it intended to supplant the IPA's judgment of the work
required. Suggested procedures described may not cover all
circumstances or conditions encountered at a particular institution.
The IPA should use professional judgment and due care to tailor the
procedures so that the financial statement audit and compliance
attestation engagement objectives are achieved. However, all
applicable management assertions contained in this guide must be
addressed by the IPA. The IPA should contact the Dallas Regional
Inspector General for Audit (RIGA) (See Appendix C) for technical
assistance related to performing the engagement required by this
guide.

ENGAGEMENT PERIODS AND REPORT DUE DATES

The annual periods to be audited are:

- Institution's basic GAAP financial statements, based on the
institution's fiscal year, in accordance with Government
Auditing Standards and generally accepted auditing standards;
and

- Compliance based on the award year ending June 30th during
the institution's fiscal year by examining and reporting on the
institution management's assertions about compliance with
specified SFA laws and regulations, in accordance with SSAE
No. 3 and Government Auditing Standards.

Institutions may engage different IPAs to perform the audit of the
financial statements and the compliance attestation engagement.

Compliance attestation reports are due six months following the
fiscal year end and audited financial statements are due four months
following fiscal year end, as shown below (34 CFR 668.23, 34 CFR
668.15):

**[The "Compliance Attestation Due Date Chart" on page I-3 is currently
unavailable for viewing. Please reference your paper document for
additional information.]**

The institution's failure to meet report due dates may result in
administrative sanctions described in 34 CFR 668, Subpart G.


MATTERS REQUIRING IMMEDIATE ACTION

Irregularities or Illegal Acts

Professional standards require IPAs to design and perform
procedures to provide reasonable assurance of detecting significant
illegal acts. IPAs should be aware of fraud or high risk indicators,
recognizing basic weaknesses in internal control and performing
sufficient substantive tests (See Appendix B). IPAs should avoid
performing audit steps mechanically (auditing form over substance)
and accepting explanation for audit exceptions without question.

If the IPA becomes aware of illegal acts or indications of such acts,
which could result in criminal prosecution, except those that are
clearly inconsequential, the IPA should use discretion to avoid any
actions which would compromise the protection of an individual's
rights or the integrity of any potential future investigations or legal
proceedings. For supplemental guidance, see the Government
Auditing Standards and Statement on Auditing Standards (SAS) No.
53 and No. 54, entitled, The Auditor's Responsibility to Detect and
Report Errors or Irregularities and Illegal Acts by Clients,
respectively.

The IPA should promptly prepare a separate written report
concerning such acts or indications of such acts. This report should
be submitted to the ED Office of Inspector General (OIG), at the
address below within 30 days after the date of discovery of the acts.
If the IPA decides to explore further the indications of such acts to
determine the size and seriousness of the situation, the report should
be submitted within 30 days after he/she has completed the
additional work.

Assistant Inspector General
Programs and Operations Integrity
U.S. Department of Education
Room 4022 MES
600 Independence Avenue, SW
Washington, DC 20202-1510


AUDITOR QUALIFICATIONS

IPAs must meet the qualification and independence standards
specified in Government Auditing Standards, including continuing
education requirements. Internal auditors of an institution are not
independent while auditing within it. However, IPAs may consider
the work of the internal auditors in performing the financial
statement audit and the examination-level compliance attestation
engagement. IPAs should apply the concepts and guidance in SAS
No. 65, The Auditor's Consideration of the Internal Audit Function
in an Audit of Financial Statements.

Government Auditing Standards require IPAs and audit firms to
comply with applicable provisions of the public accountancy law and
rules of the jurisdiction in which they are licensed and where the
engagement is being conducted. If the institution is located in a state
outside of the home state of the IPA, and the IPA performs
substantial field work in the institution's state, the IPA should
document his/her compliance with the licensing requirements of the
public accountancy laws of that state. This guide does not impose
additional licensing requirements beyond those established by the
individual State Boards of Accountancy.


GENERAL PLANNING CONSIDERATIONS

Engagement Letter

An engagement letter between the institution and the IPA shall be
prepared and must include the following:

- A statement that the compliance attestation engagement is to be
performed in accordance with SSAE No. 3, Government
Auditing Standards, and this guide;

- A description of the scope of the engagement and the related
reporting that will meet the requirements of this guide;

- A statement that both parties understand that ED intends to use
the IPA's report to help carry out its oversight responsibilities of
the Title IV programs; and

- A provision that the IPA is required to provide ED, the Inspector
General and their representatives access to working papers
(including making photocopies, as necessary). [IPAs should
refer to AU Section 9339, "Interpretations of AU Section 339
'Working Papers,'" of the AICPA Professional Standards for
guidance.]

Third Party Servicer Audit

When an institution uses a third party servicer (servicer), the IPA
should obtain the most recent servicer audit and any other reports
regarding servicer compliance. If the audit contains findings of
noncompliance, the IPA should assess the effect of that
noncompliance on the nature, timing or extent of substantive tests at
the institution. If significant noncompliance is disclosed in the
servicer's audit, the IPA must assess the effect of that noncompliance
on the institution and include that information in the audit report.

Escrow Agent/Reimbursement

IPAs should be aware that ED may impose administrative actions on
institutions and should consider its impact on risk assessment,
accordingly. Common actions involving Title IV cash management
may require an institution to:

- Contract with an escrow agent to monitor funding, or
- Be on a cost reimbursement basis with ED.


Follow-up on Prior Audit Findings

The IPA should review prior audit findings, including IPA, ED-OIG,
ED-Student Financial Assistance Program (SFAP) reviews,
guarantee agency reports, State licensing agency reports, and SPRE
reviews, and the resolution of those findings (See Example G). If
there are no prior years compliance audit reports, prepare a finding to
that effect.

Site Visits

A substantial portion of an institution's records and processes may be
at another location, yet enrollment/SFA application processes and
attendance monitoring are generally located at the institution. In
order to obtain an understanding of the related internal control
structure and to assess control risk, the processes which take place at
the institution must be observed. Therefore, the IPA must perform
audit procedures at the institution either during the audit or during
the audit period. There should be a visit to every location in the first
year of an engagement. For a cyclical approach to be acceptable,
each location should be visited at least once every two years. The
IPA must identify the location(s) and the date(s) of the visits on the
Auditor's Information Sheet (AIS) (See Example C).

Corrective Action Plan

ED requires an institution to submit five copies of an applicable
corrective action plan (CAP) as part of its compliance attestation
report package. In the CAP, which must be on the institution's
letterhead, institution officials must provide its concurrence or
nonconcurrence with the IPA's findings and describe the corrective
actions taken or planned. In addition, the institution must comment
on the status of corrective action taken on prior audit findings.
Additional guidance concerning the CAP is contained in Section III
of this guide (Example H).


COMPLIANCE ATTESTATION REPORTS SUBMITTED
WITHOUT AN APPLICABLE CAP ARE INCOMPLETE AND
WILL BE RETURNED TO THE INSTITUTION.
INSTITUTIONS MAY BE SUBJECT TO ADMINISTRATIVE
SANCTIONS PURSUANT TO 34 CFR 668 SUBPART G.


Close Out Examinations

An institution that loses eligibility, ceases to provide educational
instruction, or otherwise discontinues participation in the Title IV
programs must have a close out compliance examination (currently,
no financial statement audit is required). This examination must
cover the period from the end of the last compliance examination
through the date participation ends. All compliance sections of this
guide must be tested and the report is due to ED within 90 days after
the date participation ends.

Student Confirmations

The IPA should consider sending positive confirmations to verify
student attendance at the institution. The suggested format of the
confirmation follows. The IPA must use professional judgement on:
how many attempts must be made to obtain the information, analysis
of the responses [including whether the confirmation results require
the IPA to report them as matters requiring immediate attention (See
pages I-3 and I-4)], and how the responses might impact the overall
engagement.

Suggested Confirmation Format:

[Institution] records show that you attended/are attending this school.
Is this correct? ____Yes ___No

Explanation _________________________________________
____________________________________________________

[Institution] records show that you attended from ________ (date) to
________ (date). Is this correct? ____Yes ____No

Explanation _________________________________________
____________________________________________________


FINANCIAL STATEMENT AUDIT



The audit of the institution's basic GAAP financial statements must
be performed in accordance with Government Auditing Standards
and generally accepted auditing standards. The IPA's reports are
illustrated at Examples A-1 through A-3.

Management and Legal Counsel Representation Letters

The IPA is required to obtain management's and legal counsel's
written representations as part of the financial statement audit.
Management's written representations must also be obtained for
matters concerning compliance with SFA program laws and
regulations that have a direct and material effect on the financial
statement amounts. Additional guidance is provided in SAS No. 19,
Client Representations and SAS No. 12, Inquiry of a Client's Lawyer
Concerning Litigation, Claims, and Assessments.

Consideration of Internal Control Structure Over Financial
Reporting

Guidance on the IPA's consideration of the internal control structure
in the financial statement audit is provided in Government Auditing
Standards and SAS No. 55, Consideration of the Internal Control
Structure in a Financial Statement Audit. The IPA's responsibility to
communicate reportable conditions and material weaknesses in
internal control noted in the financial statement audit are described in
SAS No. 60, Communication of Internal Control Structure Related
Matters Noted in an Audit and Government Auditing Standards.

85/15 Attestation

ED will provide guidance which will address the 85/15 attestation,
which is effective July 1, 1995, and other financial statement issues.

Contact Office

If you have any questions regarding financial statement audit
requirements or the financial statement presentation, contact:

U.S. Department of Education
Financial Analysis Branch
600 Independence Ave., S.W.
Washington, DC 20202-5323

Phone: (202) 401-6485
FAX: (202) 205-0782


Financial Statement Reporting

An institution's financial statement report package must include the
following:

1. A report on the audit of the basic financial statements (Example
A-1);

2. A report on the internal control structure based on an audit of the
basic financial statements (Example A-2);

3. A report on compliance based on an audit of the basic financial
statements (Example A-3); and

Please refer to Dear Chief Executive Officer letter dated June 1994
for guidance on the use of financial statement information. Based on
this letter the financial statement package must be mailed to one of
the addresses below, depending upon whether the institution permits
the audit to be included in Dun and Bradstreet's files:

U.S. Department of Education
Student Financial Assistance Programs
c/o Dun and Bradstreet
899 Eaton Avenue
Bethlehem, PA 18025-0016


U.S. Department of Education
Financial Analysis Branch
600 Independence Ave., S.W.
Washington, D.C. 20202-5323


COMPLIANCE ATTESTATION ENGAGEMENT

The compliance attestation engagement must be performed as an
examination - level engagement in accordance with SSAE No. 3 and
Government Auditing Standards. Management's written assertions
are the basis for the IPA's testing and therefore are an integral part of
the engagement. Such assertions normally should be obtained from
management in a letter of representation to the IPA. The IPA should
also obtain management's written representations as discussed in
paragraph 70 of SSAE No. 3.

THE INSTITUTION IS RESPONSIBLE FOR ALL ASSERTIONS
IN THIS GUIDE EVEN IF THE INSTITUTION CONTRACTED
WITH A SERVICER TO PERFORM CERTAIN OF THE
COMPLIANCE ACTIVITIES COVERED BY THIS GUIDE. It is
ED's opinion that institutions maintain or have access to sufficient
documentation to make the required assertions in Section II of this
guide. Institutional eligibility, reporting, student eligibility,
disbursements to students, refunds and cash management
documentation ORIGINATE AT THE INSTITUTION. If necessary,
documentation at a servicer should be obtained so management can
make the required assertions. Scope limitations because of
management's refusal to provide the assertions in Section II of this
guide may result in the institution being subject to administrative
actions listed in 34 CFR 668 Subpart G. SSAE No. 3 paragraph 71
discusses the IPA's responsibility when management refuses to
furnish all appropriate written representations.

Consideration of Internal Control Structure Over Compliance

Overall guidance for the consideration of the internal control
structure in an examination-level attestation engagement is provided
in Government Auditing Standards and in paragraphs 44-46 of SSAE
No. 3. Paragraph 44 of SSAE No. 3 states that the IPA should obtain
an understanding of relevant portions of the internal control structure
over compliance sufficient to plan the examination engagement and
to assess control risk for compliance with the specified requirements
(that is, compliance requirements specified in Section II). IPAs must
document this understanding (may include flowcharts, narrative, or
other means) and their assessment of control risk. Section II of this
guide highlights the suggested procedures that have related internal
control and risk assessment documentation requirements by the use
of an "*".

In planning the engagement, the IPA should be aware that SFA
programs are normally administered by more than one organizational
component within the institution and that each component may
maintain a separate or different internal control structure, policies, or
procedures for ensuring compliance. Controls over the following
warrant particular emphasis:

- Determination of student eligibility,
- Disbursements, and
- Refunds.

During an examination-level attestation engagement, the IPA may
become aware of reportable conditions or material weaknesses in the
institution's internal control structure over compliance. A reportable
condition is a significant deficiency in the design or operation of the
internal control structure over compliance that could adversely affect
the institution's ability to comply with the specified requirements. A
material weakness is a reportable condition in which the design or
operation of the internal control structure does not reduce to a
relatively low level the risk that noncompliance with one or more of
the specified requirements could occur and not be detected within a
timely period by employees in the normal course of performing their
assigned functions. The IPA's responsibility to communicate these
deficiencies in an examination of management's assertion is similar
to the IPA's responsibility described in SAS No. 60. However, this
guide requires all communications of reportable conditions and
material weaknesses in the internal control structure over compliance
to be in writing and requires the IPA to include a copy of such
report(s) in the IPA's reporting package.

Except for reporting reportable conditions and material weaknesses
as described above, no other reporting on the internal control
structure over compliance is required. The Government Auditing
Standards requirement for a report on internal controls based on
performing a financial-related audit does not apply.

Materiality

Paragraph 35 of SSAE No. 3 provides guidance on the IPA's
consideration of materiality as it relates to each separate management
assertion about compliance. Materiality for purposes of compliance
assertions differs from materiality for financial reporting purposes.
Accordingly, materiality relates to each separate management
assertion about compliance. The IPA should consider the materiality
of management's assertions in the context of total SFA funding or
individual attribute.

Sampling Methodology

This guide requires the following sampling methodology to be used
to test the required management assertions on student eligibility,
disbursements and refunds in Section II of this guide. The
population of students who received Title IV SFA during the
engagement period (award year) should be segregated into two
universes:

1) Students who were enrolled or graduated or are on an approved
leave of absence, and

2) Students who withdrew, dropped, or were terminated.

Obtain or calculate the withdrawal benchmark using the following
formula:


SFA students who withdrew, dropped or were
terminated during the award year
------------------------------------------------
Total SFA students for the award year

Exclude from the calculation those students who were entitled to and
actually received a 100% refund of tuition and fees.

Based on the withdrawal benchmark, the IPA should follow one of
the two Approaches described below. BOTH APPROACHES
REQUIRE ALL RANDOMLY SELECTED STUDENTS TO BE
TESTED FOR STUDENT ELIGIBILITY, DISBURSEMENTS
AND, IF APPROPRIATE, REFUNDS. See Sample Results for
discussion if material noncompliance is found and additional testing
is required.

Approach I. Withdrawal Benchmark Less Than 33%

1) From the universe of students who were enrolled or graduated or
are on an approved leave of absence during the award year, select
a minimum random sample of 50 students, or 25% of the total
number of students in the universe if the universe has less than
200 students.

- AND -

2) From the universe of students who withdrew, dropped or were
terminated during the award year, select a minimum random
sample of 25 students, or 10% of the total number of students in
the universe if the universe has less than 200 students.

Approach II. Withdrawal Benchmark Greater Than or
Equal to 33%

1) From the universe of students who were enrolled or graduated or
are on an approved leave of absence during the award year, select
a minimum random sample of 25 students, or 10% of the total
number of students in the universe if the universe has less than
200 students.

- AND -

2) From the universe of students who withdrew, dropped, or
terminated during the award year, select a minimum random
sample of 50 students, or a minimum of 25% of the total number
of students in the universe if the universe has less than 200
students.

NOTIFYING INSTITUTIONS OF THE STUDENTS SELECTED
FOR THE SAMPLE PRIOR TO ON-SITE AUDIT WORK IS
STRICTLY PROHIBITED.


Sample Results

Based on the results of testing randomly selected students using
either Approach discussed, if the IPA determines that material
noncompliance exists he/she must expand the sample in order to
evaluate statistically the projected error rate and report total SFA
questioned costs at the 95% confidence level with a confidence
interval of + or - or -5%. Sample results must be considered in the
context of either total SFA funding or individual attribute. Statistical
sampling results must include information on the population, sample
size, and error found in the sample.

All other noncompliance findings*1* must include information on
the IPA's definition of material noncompliance, and the number of
students and dollar value by SFA program for :

- Population,
- Sample size, and
- Instances of noncompliance.

The IPA should incorporate the three summary schedules outlined in
Example E in the Schedule of Findings and Questioned Costs
(Example F). The information in Example E must be submitted on
diskette as part of the reporting package to assist ED in the efficient
resolution of audit findings. To download the software for Example
E follow the instructions in Appendix D.

Reporting Noncompliance

This guide requires that all instances of noncompliance identified by
the institution's management in its assertions or by the IPA during
his/her engagement must be reported as a finding in the Schedule of
Findings and Questioned Costs. This applies even in those cases
where corrective action was taken by the institution after the
examination period. The only exceptions are those instances of
noncompliance that are detected by the institution's internal control
structure and corrected in a timely manner.

Compliance Attestation Reporting

The institution shall transmit five copies of both the institution's
compliance reporting package [report cover must clearly indicate the
programs, sites, and period which were examined (Example B)] and
its corrective action plan to:

U.S. Department of Education
Office of Postsecondary Education
Institutional Participation & Oversight Service
Institutional Monitoring Division, Audit Resolution Branch
600 Independence Avenue SW
ROB 3, Room 3919
Washington, D.C. 20202-5430


The institution's report package must include the following:

1. Auditor Information Sheet (Example C);

2. A report on management's assertions on compliance with
specified requirements applicable to SFA programs (Example D);

3. Summary Schedules (Example E on diskette) and Schedule of
Findings and Questioned Costs (Example F);

4. IPA's comments on resolution matters of prior audit findings
(Example G);

5. Institution's CAP (Example H);

6. If any, report on internal control over compliance of any
reportable conditions or material weaknesses noted in accordance
with SSAE No. 3 paragraph 46; and

7. If a separate report on illegal acts which could result in criminal
prosecution was submitted in accordance with the instructions in
Section I of this guide, it should also be included as part of the
reporting package.


QUALITY CONTROL REVIEW OF AUDIT REPORTS

The ED OIG has implemented procedures for evaluating audits
performed by non-Federal auditors. As part of this evaluation, the
supporting audit working papers shall be made available upon
request by the cognizant RIGA in accordance with 34 CFR 668. If
the working papers are requested, the IPA should consider the
guidance in AU Section 9339.1, Providing Access to or Photocopies
of Working Papers to a Regulator.

Substandard workpapers or major inadequacies in the audit may
result in referrals to the AICPA and the cognizant State Board of
Accountancy. ED may also initiate action to debar the IPA from
further participation in Federal programs. Recent quality control
reviews have identified numerous deficiencies where IPAs have not
documented, in their working papers, the audit work performed and
conclusions reached in accordance with Government Auditing
Standards.


FUTURE REVISIONS

Revisions to certain auditing standards are contemplated. As they
become effective, the IPA must modify audit performance to meet
the revised audit standards.

ED periodically revises the SFA program compliance requirements
and the OIG plans to issue revisions to this guide to reflect changes.
The IPA is responsible for assuring that he/she is using the most
current version of this guide.

Any suggestions for improvement to this guide are welcome and
should be forwarded on the IPA's letterhead to:

U.S. Department of Education
Office of Inspector General
Non-Federal Advisory and Assistance Team
600 Independence Avenue SW
Washington, DC 20202-1510

*1* During audit resolution ED may require a statistical sample or a
full file review of all Title IV students to be completed.