SFA Information for Financial Aid Professionals
U.S. Department of Education
AuditGuideType: Audit Guide for Schools
SectionTitle: Audit Planning and Other Considerations for Audits of Institutions
PageNumbers: I1 - I14
AUDIT PLANNING AND OTHER CONSIDERATIONS
FOR AUDITS OF INSTITUTIONS
PURPOSE OF GUIDE
This guide is to assist independent auditors (IPAs) in performing audits of Federal Student Financial Assistance (SFA) programs. This guide supersedes the Audit Guide, Audits of Student Financial Assistance Programs (March 1990) and Non-Federal Technical Bulletin 92-1, and is effective for SFA compliance audits (attestation engagements) for award years ending June 30, 1995 and thereafter.
The Higher Education Act of 1965, as amended, (HEA) requires annual financial and compliance audits (34 CFR Part 668.23) of Title IV HEA programs for all institutions that participate in:
Federal Family Educational Loan (FFEL),
Federal Direct Loan Program (FDLP),
Federal Pell Grant (Pell),
Federal Perkins Loan,
Federal Work-Study (FWS), or
Federal Supplemental Educational Opportunity Grant (FSEOG) Program.
The HEA requires that these audits be performed in accordance with the standards for financial audits of the U.S. General Accounting Office's Government Auditing Standards (1994 Revision), issued by the Comptroller General of the United States.
SFA audit/attestation objectives are to:
1. Determine and report whether:
The institution's basic financial statements are fairly presented, in all material respects, in accordance with generally accepted accounting principles (GAAP), and
The institution management's assertions relative to compliance with specified compliance requirements in Section II of this guide are fairly stated in all material respects (institutional eligibility and participation, reporting, student eligibility, disbursements, refunds, cash management, and, if applicable, close out examinations).
2. Assist ED in meeting its stewardship responsibilities by ED acting upon noncompliance and internal control weaknesses noted in the IPA's reports. The IPA's reports must contain adequate information to give reported matters perspective and to allow ED to take necessary corrective action.
In addition to the required financial statement audit, this guide requires an examination-level attestation engagement relative to the institution management's assertions about certain compliance aspects related to SFA program participation. Therefore, in addition to applicable standards contained in the Government Auditing Standards, the Statement on Standards for Attestation Engagements (SSAE) No. 3, Compliance Attestation, issued by the American Institute of Certified Public Accountants (AICPA) also applies.
This guide is to be used by all institutions (including foreign schools) which administer SFA funds, with one exception:
Public colleges, State and local universities, and nonprofit institutions audited in accordance with OMB Circular A-133 or its predecessors. NOTE: Organizations whose funding is below OMB Circular A-133's threshold (currently $300,000 per fiscal year) are exempt from submitting a single audit to the Department under OMB Circular A-133. The Organization may be asked to submit to the Department copies of any financial statement or compliance audits that are otherwise prepared for the institution.
This guide is divided into five sections:
Section I and III Provides general information about engagement planning and other considerations.
Section II and IV Identifies the compliance requirements and management's assertions that must be reported on by the IPA.
Section V Provides the reporting requirements and illustrative reports. This guide is not intended to be a complete manual of procedures, nor is it intended to supplant the IPA's judgment of the work required. Suggested procedures described may not cover all circumstances or conditions encountered at a particular institution. The IPA should use professional judgment and due care to tailor the procedures so that the financial statement audit and compliance attestation engagement objectives are achieved. However, all applicable management assertions contained in this guide must be addressed by the IPA. The IPA should contact the Dallas Regional Inspector General for Audit (RIGA) (See Appendix C) for technical assistance related to performing the engagement required by this guide.
ENGAGEMENT PERIODS AND REPORT DUE DATES
Effective for reports submitted on or after July 1, 1997 the annual periods to be audited are:
Institution's basic GAAP financial statements, based on the institution's fiscal year, in accordance with Government Auditing Standards and generally accepted auditing standards; and
Compliance based on the institution's fiscal year by examining and reporting on the institution management's assertions about compliance with specified SFA laws and regulations, in accordance with SSAE No. 3 and Government Auditing Standards.
Institutions may engage different IPAs to perform the audit of the financial statements and the compliance attestation engagement.
A combined financial statement and compliance attestation report package is due six months following the fiscal year end as shown below. This change in the compliance audit period from an award year to a fiscal year requires a separate compliance attestation report package that is also due which covers the period from the date of the last compliance report (should be period ending June 30, 1995) to the end of the fiscal year prior to the first fiscal year compliance audit (34 CFR 668.23).
[[This file contains the chart, Combined Financial Statement and Compliance Attestation report deadlines in Portable Document Format (PDF). It can be viewed with version 3.0 or greater of the free Adobe Acrobat Reader software.]]
The institution's failure to meet report due dates may result in administrative sanctions described in 34 CFR 668, Subpart G. Questions concerning report periods and due dates should be addressed to the Performance Improvement and Procedures Division, IPOS, contact office shown on Page I-8.
MATTERS REQUIRING IMMEDIATE ACTION
Irregularities or Illegal Acts
This Guide requires practitioners to design and perform procedures to provide reasonable assurance of detecting significant illegal acts and to report directly to the ED Office of Inspector General any fraudulent act or indication of such acts. In addition, paragraph 30 of SSAE No. 3 says that an examination-level engagement includes "designing the examination to detect both intentional and unintentional noncompliance that is material to managements assertion." Accordingly, practitioners should be aware of fraud or high risk areas and recognize basic weaknesses in internal controls. See Appendix B for a list of high risk indicators or conditions a practitioner may encounter while performing the compliance engagement.
As described in Paragraph 4.16 of Government Auditing Standards, if the practitioner becomes aware of fraud or indications of fraud, the practitioner should exercise due professional care to avoid any actions that would compromise the protection of an individual's rights and the integrity of any official inquiries. Upon discovery of a fraudulent act or indication of such an act related to Federal programs, this Guide requires the practitioner to immediately contact the ED Office of Inspector General, Investigation Services, by phone or fax at the numbers shown below before extending audit steps and procedures. In addition, the practitioner must promptly prepare a separate written report concerning fraudulent acts or indications of such acts and include all information described in Section IV on reporting findings. This report should be submitted to the ED Office of Inspector General, Investigation Services, within 30 days after the date of discovery of the act or within the time frame agreed to by the practitioner and the ED Office of Inspector General, Investigation Services. The practitioner shall submit this report to the Assistant Inspector General for Investigations at this address:
Assistant Inspector General for Investigations
U. S. Department of Education
600 Independence Avenue, SW, Room 4122, MES
Washington, D.C. 20202-1510
For supplemental guidance, see Chapters 4 and 5 of Government Auditing Standards. In addition, practitioners may wish to consult SAS No. 53, The Auditor's Responsibility to Detect and Report Errors or Irregularities, SAS No. 54, Illegal Acts by Clients
(AICPA, Professional Standards, vol. 1, AU sec. 317) and SAS No. 82, Consideration of Fraud in a Financial Statement Audit.
Due Care and Professional Skepticism
Paragraph 3.26 of Government Auditing Standards states that due professional care should be used in conducting the audit and in preparing related reports. Paragraph 37 of SSAE No. 3 requires that the practitioner "exercise (a) due care in planning, performing, and evaluating the results of his or her examination procedures and (b) the proper degree of professional skepticism to achieve reasonable assurance that material noncompliance will be detected." This Guide cautions practitioners against ignoring basic weaknesses in internal controls, performing audit steps mechanically (auditing form over substance), and accepting explanations for audit exceptions without question.
IPAs must meet the qualification and independence standards specified in Government Auditing Standards, including continuing education and peer review requirements. Internal auditors of an institution are not independent while auditing within it. However, IPAs may consider the work of the internal auditors in performing the financial statement audit and the examination-level compliance attestation engagement. IPAs should apply the concepts and guidance in SAS No. 65, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements.
Government Auditing Standards require IPAs and audit firms to comply with applicable provisions of the public accountancy law and rules of the jurisdiction in which they are licensed and where the engagement is being conducted. If the institution is located in a state outside of the home state of the IPA, and the IPA performs substantial field work in the institution's state, the IPA should document his/her compliance with the licensing requirements of the public accountancy laws of that state. This guide does not impose additional licensing requirements beyond those established by the individual State Boards of Accountancy.
The IPA and audit firms must comply with the applicable provisions of the public accountancy law and rules of the country in which they are licensed and where the engagement is being performed. If the country does not have any public accountancy law or professional standards, the IPA must follow United States standards.
GENERAL PLANNING CONSIDERATIONS
An engagement letter between the institution and the IPA shall be prepared and must include the following:
A statement that the compliance attestation engagement is to be performed in accordance with SSAE No. 3, Government Auditing Standards, and this guide;
A description of the scope of the engagement and the related reporting that will meet the requirements of this guide;
A statement that both parties understand that ED intends to use the IPA's report to help carry out its oversight responsibilities of the Title IV programs; and
A provision that the IPA is required to provide ED, the Inspector General and their representatives access to working papers (including making photocopies, as necessary). [IPAs should refer to AU Section 9339, "Interpretations of AU Section 339 'Working Papers,'" of the AICPA Professional Standards for guidance.]
Third Party Servicer Audit
When an institution uses a third party servicer (servicer), the IPA should obtain the most recent servicer audit and any other reports regarding servicer compliance. If the audit contains findings of noncompliance, the IPA should assess the effect of that noncompliance on the nature, timing or extent of substantive tests at the institution. If significant noncompliance is disclosed in the servicer's audit, the IPA must assess the effect of that noncompliance on the institution and include that information in the audit report.
IPAs should be aware that ED may impose administrative actions on institutions and should consider its impact on risk assessment, accordingly. Common actions involving Title IV cash management may require an institution to:
Contract with an escrow agent to monitor funding, or
Be on a cost reimbursement basis with ED.
Follow-up on Prior Audit Findings
The IPA should review prior audit findings, including IPA, ED-OIG, ED-Student Financial Assistance Program (SFAP) reviews, guarantee agency reports, State licensing agency reports, and SPRE reviews, and the resolution of those findings (See Example G). If there are no prior years compliance audit reports, prepare a finding to that effect.
A substantial portion of an institution's records and processes may be at another location, yet enrollment/SFA application processes and attendance monitoring are generally located at the institution. In order to obtain an understanding of the related internal control structure and to assess control risk, the processes which take place at the institution must be observed. Therefore, the IPA must perform audit procedures at the institution either during the audit or during the audit period. There should be a visit to every location in the first year of an engagement. For a cyclical approach to be acceptable, each location should be visited at least once every two years. The IPA must identify the location(s) and the date(s) of the visits on the Auditor's Information Sheet (AIS) (See Example C).
Corrective Action Plan
ED requires an institution to submit five copies of an applicable corrective action plan (CAP) as part of its audit report package. In the CAP, which must be on the institution's letterhead, institution officials must provide its concurrence or nonconcurrence with the IPA's findings and describe the corrective actions taken or planned. In addition, the institution must comment on the status of corrective action taken on prior audit findings. Additional guidance concerning the CAP is contained in Section V of this guide (Example H).
Audit report packages submitted without an applicable CAP are incomplete and will be returned to the institution. Institutions may be subject to administrative sanctions pursuant to 34 CFR 668 Subpart G.
Close Out Examinations
An institution that loses eligibility, ceases to provide educational instruction, or otherwise discontinues participation in the Title IV programs must have a close out compliance examination (currently, no financial statement audit is required). This examination must cover the period from the end of the last compliance examination through the date participation ends. All institution compliance sections of this guide must be tested and the report is due to ED within 90 days after the date participation ends.
The IPA should consider sending positive confirmations to verify student existence and attendance at the institution. The suggested format of the confirmation follows. The IPA must use professional judgement on: how many attempts must be made to obtain the information, analysis of the responses [including whether the confirmation results require the IPA to report them as matters requiring immediate attention (See pages I-3 and I-4)], and how the responses might impact the overall engagement.
Suggested Confirmation Format:
[Institution] records show that you attended/are attending this school.Is this correct? Yes No
[Institution] records show that you attended from (date) to (date). Is this correct? Yes No
AUDIT REPORT PACKAGE
The institution shall transmit five copies of the institutions audit report package and its corrective action plan to the address listed at the top of page I-13.
The audit of the institution's basic GAAP financial statements must be performed in accordance with Government Auditing Standards and generally accepted auditing standards. The IPA's reports are illustrated at Examples A-1 through A-3.
Foreign institutions financial statements may be prepared in accordance with the generally accepted accounting principles of the institutions home country if the institution administered less than $500,000 of Title IV funds during its fiscal year. Institutions administering more than $500,000 per fiscal year must have their financial statements translated into United States standards (34 CFR 668.15).Management and Legal Counsel Representation Letters
The IPA is required to obtain management's and legal counsel's written representations as part of the financial statement audit. Management's written representations must also be obtained for matters concerning compliance with SFA program laws and regulations that have a direct and material effect on the financial statement amounts. Additional guidance is provided in SAS No. 19, Client Representations and SAS No. 12, Inquiry of a Client's Lawyer Concerning Litigation, Claims, and Assessments.
Consideration of Internal Control Structure Over Financial Reporting
Guidance on the IPA's consideration of the internal control structure in the financial statement audit is provided in Government Auditing Standards and SAS No. 78, Consideration of the Internal Control Structure in a Financial Statement Audit. The IPA's responsibility to communicate reportable conditions and material weaknesses in internal control noted in the financial statement audit are described in SAS No. 60, Communication of Internal Control Structure Related Matters Noted in an Audit and Government Auditing Standards.
85/15 Revenue Test A proprietary institution must disclose in a footnote to its audited financial statements the percentage (including the figures used to make the calculation) of its revenues derived from the Title IV funds received during the fiscal year covered by that audit (34 CFR 668.23). The calculation must be made on a cash basis and in accordance with 34 CFR 600.5.
If you have any questions regarding financial statement audit requirements or the financial statement presentation, contact:
U. S. Department of Education Performance Improvement and Procedures Division, IPOS Attn: Financial Analysis 600 Independence Avenue, SW ROB-3, Room 3682 Washington, DC 20202-5265
Tel. (202) 260-5742 Fax: (202) 708-6730
Financial Statement Reporting
An institution's financial statement portion of the audit report package must include the following:
1. A report on the audit of the basic financial statements (Example A-1);
2. A report on the internal control structure based on an audit of the basic financial statements (Example A-2);
3. A report on compliance based on an audit of the basic financial statements (Example A-3).
The requirements for the compliance portion of the audit report package start at the bottom of page I-12.
COMPLIANCE ATTESTATION ENGAGEMENT
The compliance attestation engagement must be performed as an examination - level engagement in accordance with SSAE No. 3 and Government Auditing Standards. Management's written assertions are the basis for the IPA's testing and therefore are an integral part of the engagement. Such assertions normally should be obtained from management in a letter of representation to the IPA. The IPA should also obtain management's written representations as discussed in paragraph 70 of SSAE No. 3.
The institution is responsible for all assertions in Section II of this guide even if the institution contracted with a servicer to perform certain of the compliance activities covered by this guide. It is ED's opinion that institutions maintain or have access to sufficient documentation to make the required assertions in Section II of this guide. Institutional eligibility, reporting, student eligibility, disbursements to students, refunds and cash management documentation originate at the institution. If necessary, documentation at a servicer should be obtained so management can make the required assertions. Scope limitations because of management's refusal to provide the assertions in Section II of this guide may result in the institution being subject to administrative actions listed in 34 CFR 668 Subpart G. SSAE No. 3 paragraph 71 discusses the IPA's responsibility when management refuses to furnish all appropriate written representations.
Computer and Electronically Processed Data
Because of the growth in the use of computers, institutions are processing SFA information electronically; however, the IPAs audit objectives do not change. IPAs should consider the controls over computers and the SFA information processed electronically. Some items to be considered are: Operating procedures, processing schedules, physical and internal computer security (location and accessability to terminals, controls over passwords, etc), reliability of computer processed data, computer backup schedules, and disaster recovery plans.Consideration of Internal Control Structure Over Compliance
Overall guidance for the consideration of the internal control structure in an examination-level attestation engagement is provided in Government Auditing Standards and in paragraphs 44-46 of SSAE No. 3. Paragraph 44 of SSAE No. 3 states that the IPA should obtain an understanding of relevant portions of the internal control structure over compliance sufficient to plan the examination engagement and to assess control risk for compliance with the specified requirements (that is, compliance requirements specified in Section II). IPAs must document this understanding (may include flowcharts, narrative, or other means) and their assessment of control risk. Section II of this guide highlights the suggested procedures that have related internal control and risk assessment documentation requirements by the use of an "*".
In planning the engagement, the IPA should be aware that SFA programs are normally administered by more than one organizational component within the institution and that each component may maintain a separate or different internal control structure, policies, or procedures for ensuring compliance. Controls over the following warrant particular emphasis:
Determination of student eligibility, Disbursements, and Refunds.
During an examination-level attestation engagement, the IPA may become aware of reportable conditions or material weaknesses in the institution's internal control structure over compliance. A reportable condition is a significant deficiency in the design or operation of the internal control structure over compliance that could adversely affect the institution's ability to comply with the specified requirements. A material weakness is a reportable condition in which the design or operation of the internal control structure does not reduce to a relatively low level the risk that noncompliance with one or more of the specified requirements could occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. The IPA's responsibility to communicate these deficiencies in an examination of management's assertion is similar to the IPA's responsibility described in SAS No. 60. However, this guide requires all communications of reportable conditions and material weaknesses in the internal control structure over compliance to be in writing and requires the IPA to include a copy of such report(s) in the IPA's reporting package.
Except for reporting reportable conditions and material weaknesses as described above, no other reporting on the internal control structure over compliance is required. The Government Auditing Standards requirement for a report on internal controls based on performing a financial-related audit does not apply.
Paragraph 35 of SSAE No. 3 provides guidance on the IPA's consideration of materiality as it relates to each separate management assertion about compliance. Materiality for purposes of compliance assertions differs from materiality for financial reporting purposes. Accordingly, materiality relates to each separate management assertion about compliance. The IPA should consider the materiality of management's assertions in the context of total SFA funding or individual attribute.
This guide requires the following sampling methodology to be used to test the required management assertions on student eligibility, disbursements and refunds in Section II of this guide. The population of students who received Title IV SFA during the engagement period (fiscal year) should be segregated into two universes:
1) Students who were enrolled or graduated or are on an approved leave of absence, and
2) Students who withdrew, dropped, or were terminated.
Obtain or calculate the withdrawal benchmark using the following formula:
Exclude from the calculation those students who were entitled to and actually received a 100% refund of tuition and fees.
Based on the withdrawal benchmark, the IPA should follow one of the two Approaches described below. Both approaches require all randomly selected students to be tested for student eligibility, disbursements and, if appropriate, refunds. See Sample Results for discussion if material noncompliance is found and additional testing is required.
Approach I. Withdrawal Benchmark Less Than 33%
1) From the universe of students who were enrolled or graduated or are on an approved leave of absence during the fiscal year, select a minimum random sample of 50 students, or 25% of the total number of students in the universe if the universe has less than 200 students.
2) From the universe of students who withdrew, dropped or were terminated during the fiscal year, select a minimum random sample of 25 students, or 10% of the total number of students in the universe if the universe has less than 200 students.
Approach II. Withdrawal Benchmark Greater Than or Equal to 33%
1) From the universe of students who were enrolled or graduated or are on an approved leave of absence during the fiscal year, select a minimum random sample of 25 students, or 10% of the total number of students in the universe if the universe has less than 200 students.
2) From the universe of students who withdrew, dropped, or terminated during the fiscal year, select a minimum random sample of 50 students, or a minimum of 25% of the total number of students in the universe if the universe has less than 200 students.
Notifying institutions of the students selected for the sample prior to on-site audit work is strictly prohibited.
Based on the results of testing randomly selected students using either Approach discussed, if the IPA determines that material noncompliance exists he/she must expand the sample in order to evaluate statistically the projected error rate and report total SFA questioned costs at the 95% confidence level with a confidence interval of +5%. Sample results must be considered in the context of either total SFA funding or individual attribute. Statistical sampling results must include information on the population, sample size, and error found in the sample.
All other noncompliance findings (During audit resolution ED may require a statistical sample or a full file review of all Title IV students to be completed. ) must include information on the IPA's definition of material noncompliance, and the number of students and dollar value by SFA program for :
Sample size, and
Instances of noncompliance.
The IPA should incorporate the three summary schedules outlined in Example E in the Schedule of Findings and Questioned Costs (Example F). The information in Example E must be submitted as part of the reporting package to assist ED in the efficient resolution of audit findings. Follow the instructions in Appendix D for submitting Example E.
This guide requires that all instances of noncompliance identified by the institution's management in its assertions or by the IPA during his/her engagement must be reported as a finding in the Schedule of Findings and Questioned Costs. This applies even in those cases where corrective action was taken by the institution after the examination period. The only exceptions are those instances of noncompliance that are detected by the institution's internal control structure and corrected in a timely manner.
Compliance Attestation Reporting
The compliance report section of the institutions audit report package must start with a page which clearly indicates the programs, sites, and period which were examined (Example B). A complete audit report package must be mailed to:
U.S. Department of Education
Office of Postsecondary Education
Data Management and Analysis Division, IPOS
600 Independence Avenue SW
ROB 3, Room 3522
Washington, D.C. 20202-5430
The compliance portion of the institution's report package must include the following:
1. Auditor Information Sheet (Example C) and if the institution uses a servicer, the Servicer Information Sheet (Example C-1);
2. A report on management's assertions on compliance with specified requirements applicable to SFA programs (Example D);
3. Summary Schedules (Example E - See Appendix D) and Schedule of Findings and Questioned Costs (Example F);
4. IPA's comments on resolution matters of prior audit findings (Example G);
5. Institution's CAP (Example H);
6. If any, report on internal control over compliance of any reportable conditions or material weaknesses noted in accordance with SSAE No. 3 paragraph 46; and
7. If a separate report on illegal acts which could result in criminal prosecution was submitted in accordance with the instructions in Section I of this guide, it should also be included as part of the reporting package.
QUALITY CONTROL REVIEW OF AUDIT REPORTS
The ED OIG has implemented procedures for evaluating audits performed by non-Federal auditors. As part of this evaluation, the supporting audit working papers shall be made available upon request by the cognizant RIGA in accordance with 34 CFR 668. If the working papers are requested, the IPA should consider the guidance in AU Section 9339.1, Providing Access to or Photocopies of Working Papers to a Regulator.
Substandard workpapers or major inadequacies in the audit may result in referrals to the AICPA and the cognizant State Board of Accountancy. ED may also initiate action to debar the IPA from further participation in Federal programs. Recent quality control reviews have identified numerous deficiencies where IPAs have not documented, in their working papers, the audit work performed and conclusions reached in accordance with Government Auditing Standards.
Revisions to certain auditing standards are contemplated. As they become effective, the IPA must modify audit performance to meet the revised audit standards.
ED periodically revises the SFA program compliance requirements and the OIG plans to issue revisions to this guide to reflect changes. The IPA is responsible for assuring that he/she is using the most current version of this guide.
Any suggestions for improvement to this guide are welcome and should be forwarded on the IPA's letterhead to:
U.S. Department of Education
Office of Inspector General
Non-Federal Advisory and Assistance Team
600 Independence Avenue SW
Washington, DC 20202-1510