AuditGuideType: Audit Guide for Schools
SectionTitle: Planning and Other Considerations for Audit of Institution Servicers
PageNumbers: III-1 to III-8
PLANNING AND OTHER CONSIDERATIONS
FOR AUDITS OF INSTITUTION SERVICERS
PURPOSE OF THIS SECTION
This section is to assist independent public accountants (IPAs) engaged to performed compliance attestation engagements of third-party service organizations [servicer(s)] when the functions performed are applicable to the administration of the U.S. Department of Education (ED) Federal Student Financial Assistance (SFA) Programs.
To the extent that an institution contracts with a servicer to administer any aspect of the SFA Programs, the applicable compliance requirements and guidance contained in other Sections of the Guide also apply to that servicer. This section must be used by the IPA to attest to the management assertions about compliance with the SFA programs made by any institution servicer participating in or administering any aspect of the SFA programs, except for institution servicers which obtain an audit in accordance with the Single Audit Act, OMB Circular A-133 or its predecessors. However, this Guide must be used if a program specific audit is being performed to satisfy the single audit requirements.
This guidance is not intended to be a complete manual of procedures, nor is it intended to supplant the IPA's judgment of the work required. Suggested procedures described may not cover all circumstances or conditions encountered. The IPA should use professional judgment and due care to tailor the procedures so that the compliance attestation engagement objectives are achieved. However, all applicable management assertions contained in this update must be addressed by the IPA. The IPA should contact the cognizant Regional Inspector General for Audit for technical assistance related to performing the engagement. (See Appendix C)
REQUIREMENTS AND STANDARDS FOR SERVICER ATTESTATION ENGAGEMENTS
Annual Compliance Audit
Section 487(c)(C)(I) of the Higher Education Act of 1965, as amended, (HEA) requires annual compliance audits of servicers with regard to any contract with an eligible institution, guaranty agency or lender for administering or servicing any aspect of the student financial assistance (SFA) programs. The HEA requires that these audits be performed in accordance with the U.S. General Accounting Office's Government Auditing Standards, issued by the Comptroller General of the United States. This Audit Guide provides guidance in satisfying the annual compliance audit requirement by performing an examination level attestation engagement of compliance and internal control over compliance under AICPA Statement on Standards for Attestation Engagements (SSAE) No. 3, Compliance Attestation.
Part 668.23 of Title 34 of the Code of Federal Regulations (CFR) requires that all servicers have an annual compliance audit performed of the servicer's administration of the participation in the Title IV, HEA programs of each institution with which the servicer has a contract, UNLESS:
--the servicer contracts with only one participating institution; and
--the audit of that institutions participation involves every aspect of the servicer's administration of that Title IV program.
SFA compliance attestation objectives are to determine and report whether the servicer managements assertions relative to compliance and internal control over compliance with specified compliance requirements in Section IV of this guide are fairly stated in all material respects (institutional eligibility and participation, reporting, student eligibility, disbursements, refunds, cash management, close out examinations, Perkins collections and due diligence, servicer eligibility, and servicer systems and internal controls).
ED in part meets its stewardship responsibilities by acting upon noncompliance and internal control weakness noted in the IPAs reports. Therefore, IPAs reports must contain adequate information to give reported matters perspective and to allow ED to take necessary corrective action.
These annual compliance audit requirements are considered satisfied by an audit conducted, where applicable, in accordance with the Single Audit Act, the Office of Management and Budget (OMB) Circular A-133, or its predecessors.
Standards for Servicer Attestation Engagements
The servicer's compliance attestation engagement shall be conducted by an independent auditor in accordance with the U.S. General Accounting Office's (GAO), Government Auditing Standards (GAS), issued by the Comptroller General of the United States. This update requires an examination-level attestation engagement relative to a servicer management's assertions about certain compliance aspects related to SFA program participation as identified in Section IV. Therefore, in addition to applicable standards contained in the GAS, the Statement on Standards for Attestation Engagements (SSAE) No. 3, Compliance Attestation, issued by the American Institute of Certified Public Accountants (AICPA) also applies.An IPA engaged to perform a servicer compliance attestation engagement should also refer to Section I of this Guide for guidance concerning matters requiring immediate action, auditor qualifications, engagement letters, follow-up on prior audit findings, corrective action plan, quality control reviews, and future revisions as much of that guidance is not repeated in this section.
ENGAGEMENT PERIODS AND REPORT DUE DATE
First Year Engagements
A servicer's first engagement must cover the servicer's activities for the fiscal year, ending on or after July 1, 1996. Since regulations require audits for periods on or after July 1, 1994, in which the servicer administered any aspect of an institutions participation in the Title IV, HEA programs, ED reserves the right to request copies of audits for fiscal years prior to July 1, 1996.
Each subsequent annual engagement must cover the servicer's activities for the entire period of time (fiscal year) since the servicer's preceding engagement.
An institutions servicer shall submit its engagement report to ED within six months of the end of the servicer's fiscal year or, if applicable, in accordance with deadlines established in the Single Audit Act, OMB Circular A-133 or its predecessors. An institutions servicers first engagement under this Guide must be submitted within six months after the issuance of this Section or six months after the end of the servicers fiscal year, whichever is later.
A servicer's failure to meet report due dates may result in administrative sanctions described in 34 CFR 668, Subpart G.
SERVICER'S REPORTING ENTITY
Contracting With More Than One Institution, Lender or Guaranty Agency
A servicer that contracts with more than one participating institution may submit a single compliance attestation report that covers the applicable compliance requirements in Section IV of this Guide relating to the servicer's administration of the participation in the Title IV, HEA programs for each institution with which the servicer contracts.
A servicer that contracts with both an institution and a lender may not submit a single compliance attestation report to cover the servicer's participation in all of the Title IV, HEA programs. The servicer reports for lenders or guaranty agencies must be separate from the servicer audits for institutions because the services provided to each are markedly different.
The servicer's management should assess the services it provides and whether it can make all or part of the applicable assertions in Section IV of this Guide. Scope limitations because of a servicer management's refusal to provide the applicable assertions may result in the servicer being subject to administrative actions listed in 34 CFR 668 Subpart G.
Servicer Corrective Action Plan
To assist in resolving instances of noncompliance, reportable conditions, and material weaknesses in the internal controls identified by the IPA, ED requires a servicer to develop a corrective action plan as part of its report. The corrective action plan is considered an essential part of the report requirement for the Title IV, HEA Programs. The corrective action plan is prepared by the servicer on the servicer's letterhead, and includes the name, title, and telephone number of the servicer official responsible for its preparation.
The corrective action plan must describe the corrective action taken or planned in response to findings identified by the IPA. In addition, the servicer must comment on the status of corrective action taken on prior findings. A suggested format for the corrective action plan is provided in Example H of Section V of this Guide.
Engagement and Management Representations
The compliance attestation engagement must be performed as an examination-level engagement in accordance with SSAE No. 3 and Government Auditing Standards. The IPA is required to obtain written assertions from management as part of a compliance attestation engagement performed in accordance with SSAE No. 3. The nature of the written management assertions made by the servicer's management and the scope of the engagement may vary depending on the extent an institution has contracted with the servicer to perform certain compliance functions. Such assertions should be obtained from management in a letter of representation to the IPA. The letter of assertions should identify the services provided for which the servicer is responsible. The matrix in Example C-1 must be prepared and included as part of the reporting package.
All applicable management assertions contained in Section IV of the Guide must be addressed by the IPA. In addition to the specific assertions identified in that part, as applicable, management's written representations should include the matters required by paragraph 70 of SSAE No. 3. Paragraph 71 of SSAE No. 3 discusses the IPA's responsibility when management refuses to furnish all appropriate written representations.
PLANNING CONSIDERATIONS FOR SERVICER ATTESTATION ENGAGEMENTS
Purpose and Objective of Servicer Attestation Engagements
The overall purpose of the servicer engagements is to provide ED assurance that the servicer has complied with and has effective internal controls over the compliance requirements listed in Section IV of this Guide applicable to the servicer's administration of the participation in the SFA programs.
Consideration of the Servicer's Internal Controls
Overall guidance for the consideration of the internal controls and reporting requirements in an examination-level engagement is provided in Government Auditing Standards and in paragraphs 44-46 of SSAE No. 3. Paragraph 44 of SSAE No. 3 states that the practitioner should obtain an understanding of relevant portions of the internal controls over compliance sufficient to plan the examination engagement and to assess control risk for compliance with the specified requirements (that is, compliance requirements specified in Section IV of this guide). This guide further requires the practitioner to document his or her consideration of the servicer's policies and procedures and assessment of control risk. Section IV of this guide highlights the suggested procedures that have related internal control and risk assessment documentation requirements by the use of an "*".
During an examination-level attestation engagement, the IPA may become aware of reportable conditions or material weaknesses in the servicers internal controls over compliance. A reportable condition is a significant deficiency in the design or operation of the internal controls over compliance that could adversely affect the servicers ability to comply with the specified requirements. A material weakness is a reportable condition in which the design or operation of the internal controls does not reduce to a relatively low level the risk that noncompliance with one or more of the specified requirements could occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. The IPA's responsibility to communicate these deficiencies in an examination of management's assertion is similar to the IPA's responsibility described in SAS No. 60. However, this guide requires all communications of reportable conditions and material weaknesses in the internal controls over compliance to be in writing and requires the IPA to include a copy of such report(s) in the IPA's reporting package.
Except for reporting reportable conditions and material weaknesses as described above, no other reporting on the internal controls over compliance is required. The Government Auditing Standards requirement for a report on internal controls based on performing a financial-related audit does not apply.
Paragraph 35 of SSAE No. 3 provides guidance on the IPA's consideration of materiality as it relates to each separate management assertion about compliance. Materiality for purposes of compliance assertions differs from materiality for financial reporting purposes. Accordingly, materiality relates to each separate management assertion about compliance. For the purposes of planning and performing tests for each of the compliance requirements, the IPA should consider the materiality of management's assertions in relation to each of the individual services performed. The IPA should issue a qualified or adverse compliance report when reporting instances of noncompliance that are material in relation to each of the specific compliance requirements.
This Guide requires that all instances of noncompliance pertaining to servicers be reported as a finding in the Schedule of Findings and Questioned Costs (see Reporting Noncompliance below). As discussed in paragraph 36 of SSAE No. 3, this should not change the practitioners judgements about materiality in planning and performing the engagement or in forming an opinion on the servicer managements assertions.
This guide requires sampling methodologies be used to test the required management assertions in Section IV for those assertions which apply to the servicer. The sample(s) must be taken randomly. In selecting a sample, consideration must be given to the systems used to provide services and the sample(s) must also include transactions that flow through all systems used by the servicer. The IPA must use professional judgment in determining the sample universes and sizes and that the sample relates to an audit objective. For example, if a servicer provides some clients with assistance in obtaining and maintaining their institutional eligibility, the IPA may consider taking a sample of the clients for whom this service is provided and evaluate compliance with Title IV regulations.
If the IPA determines that material noncompliance exists he/she must expand the sample in order to evaluate statistically the projected error rate and report total SFA questioned costs at the 95 percent confidence level with a confidence interval of +5%. Sample results must be considered in the context of either total SFA funding or individual attribute. Statistical sampling results must include information on the population, sample size, and error found in the sample.
All other noncompliance findings *1* must include information on the IPA's definition of material noncompliance, and the number of students and dollar value by school and by SFA program for:
Sample size, and
Instances of noncompliance.
This Guide requires that all instances of noncompliance identified by the servicers management in its assertions or by the IPA during the engagement must be reported as a finding in the Schedule of Findings and Questioned Costs. This applies even in those cases where corrective action was taken by the servicer after the examination period. The only exceptions are those instances of noncompliance that are detected by the servicers internal controls and corrected in a timely manner.
Managementss assertions and the IPAs reports issued pursuant to this guide are a primary tool used by program managers in meeting their stewardship responsibilities in overseeing the SFA programs. The areas of noncompliance noted in managements assertions and/or the IPAs reports must be acted upon by ED program managers. To be of value, these reports must contain adequate information to give reported matters perspective and to allow the managers to take necessary corrective action.
If the report discloses material noncompliance (either in the servicer managements assertions or the IPAs report) or if immaterial noncompliance was identified by the servicer or the IPA during the engagement, the report or a separate communication must be sent to each institution serviced disclosing the instances of noncompliance applicable to the institution, and of managements plans to correct the noncompliance.
Compliance Attestation Reporting
The servicer shall transmit four copies of both the servicers compliance reporting package and its corrective action plan to:
U.S. Department of Education
Office of Postsecondary Education
Institutional Participation & Oversight Service
Data Management & Analysis Division
600 Independence Avenue SW
ROB 3, Room 3082
Washington, D.C. 20202-5430
The servicers report package must include the following:
1. Servicer Information Sheet (Example C-1);
2. A report on management's assertions on compliance with specified requirements applicable to SFA programs (Example D);
3. Schedule of Findings and Questioned Costs (Example F);
4. IPA's comments on resolution matters of prior audit findings (Example G);
5. Servicers CAP (Example H);
6. Division of Responsibilities for Compliance Requirements (Example I);
7. If any, report on internal control over compliance of any reportable conditions or material weaknesses noted in accordance with SSAE No. 3 paragraph 46;
8. If a separate report on illegal acts which could result in criminal prosecution was submitted in accordance with the instructions in Section I of this guide, it should also be included as part of the reporting package; and
9. If separate communications are sent to each institution disclosing the impact of the findings on the institutions, those communications should also be included as part of the reporting package.
*1* During audit resolution ED may require a statistical sample or a full file review of all Title IV students to be completed.