understanding audits - coheao · understanding audits 1 . ... applies the provisions of 34 cfr...
TRANSCRIPT
Audits – A School Perspective
Agenda
1. A-133
2. Organizing your resources for an audit
3. You and your auditor
4. Conducting the audit
5. Findings and response
A-133 Definition:
This annual audit is required for all organizations that receive
grants or other awards in excess of $500,000 from a federal
agency. The specific rules for the audit are set by the Federal
Office of Management and Budget. The focus of the audit is a
financial report on all federal funds received and a report on
our compliance with the rules and regulations of the granting
agencies.
The procedures utilized are applicable to most other audits.
Organizing for an Audit Using Web-Based Collaboration Software
Single location for all data regarding a project, group or process
Easy to share knowledge among a team (audit team, system implementation team, etc.)
Easy to search for data (by word, date, etc.)
Daily e-mail notifications for updated items, tasks and project status
Access controls for editing, viewing or hiding
Electronic site set up for such projects/areas as audits, topics of interest to the community (legislative, accounting, etc.), training, tax return preparation
Ability to create folders within folders-the audit site can have separate folders for the financial statement audit, the OMB A-133 audit, NCAA audit; those folders might contain folders for financial aid samples, grants samples, loan samples, draw samples, minutes of meetings, notes for next year, deadlines, etc.
Files can be accessed by individuals at different locations (multiple campuses)
Organizing for an Audit Document management system
Electronic repository designed for business continuity/archival
Scan paper documents or import electronic documents
Allows for better record management (easy to retrieve for auditors when needed,
easy to delete when retention period is over)
Organizing for an Audit COMPLIANCE Purpose Description Date Requested Date
Received
Provided by Status Comments
1 Selections for
Student File
Testing
Federal Aid Recipient Audit Report for FY12.
(Detailed listing of all students receiving Federal
Aid (Title IV). The detail should include the student
name, identifying # (other than SSN), Amount of
each type of aid received). - PwC to make a
selection
2 Selections for
Student File
Testing
A detail listing of the Students who received Title
VII aid during FY12
3 Student File
Testing
Access to Student Files and Banner system for file
testing
4 Cash
Management
Detailed listing of all draw downs by month and
program (PwC to make selections for testing)
5 Cash
Management
Access to Supporting Memo's to UAS for
drawdowns of federal funds (Award Balance
Report/Activity Report for Pell, FSEOG and FWS)
6 Matching Final Funding 2011-2012 authorization form/Final
Federal Award Letter
7 Matching/Rep
orting
Copy of the Draft FISAP and support
8 Matching Annual Operating Reports for PCL and LDS and
support
9 Federal Work
Study
Access to the Employer Files for all students
selected for FWS testing
10 Federal Work
Study
Access to time sheets for all students selected for
FWS testing
11 Federal Work
Study
Access to the employment authorization forms for
all students selected for FWS
12 Federal Work
Study
Please provide a listing of all outside organizations
the University uses to employ Federal Work Study
students.
13 Institutional
Eligibility
Access to the Annual Campus Security Report N/A N/A Online Completed Provide link here.
14 Institutional
Eligibility
Copy of the Most Recent Eligibility and Certification
Approval Report, if updated
N/A N/A Completed Previously provided copy
applicable through 2013
15 Institutional
Eligibility
Program Participation Agreement, if updated N/A N/A Completed Previously provided copy
applicable through 2013
You and Your Auditor
Your responsibilities to your auditor include: Provide a comfortable space.
Show them around, introduce them to staff they may see.
Make sure they have access to what they need.
Check in periodically during the day.
Be available.
A happy auditor is better than an unhappy auditor…
Conducting the Audit 1. Provide reports to the auditors for the selection of
samples. If possible, give them a couple of weeks lead time.
2. Once sample is pulled, you then have time to review to see if there are likely to be any issues.
3. Coordinate with other offices they might need to visit: i.e. career center for work study, law school and med school financial aid offices.
4. Train your auditor so they know how to search. Find out specifically what they need.
Findings and Response 1. Ask your auditor to review the first instance that appears
incorrect. They may be misinterpreting the data.
2. If something needs to be corrected, do it right then. They will note the date it is fixed. You will need to provide a response to the finding, however.
3. If it is not an issue, make sure you show why not.
4. Use any findings to help your operation: a. Training
b. Resources
c. Organizational Structure
Audits:
Collection Agency Perspective
Two Audit Types:
Compliance Attestation
FISMA
(Federal Information Security Management Act)
10
Audits:
Collection Agency Perspective
Compliance Attestation Audit
Regulatory Requirement for Management of
Title IV Funds:
34 CFR 668.23- “a third party servicer shall have performed at
least annually a compliance audit that meets the compliance
audit standard for institutions of the servicers administration of
the participation in Title IV programs
11
Audits:
Collection Agency Perspective
What is the impact of this requirement on institutions and their servicers:
1. Institutions- This is an extension of their program compliance.
Servicers fulfill or supplement required program activity for
institutions.
2. Servicers- Verifies that we fulfill our obligations on behalf of
contracts performed.
12
Audits:
Collection Agency Perspective
Initial Guidance for Servicers:
Servicer/Institution Audit Guide- Amended July 1997
Amended again January 2000
Guarantor/Servicer Audit Guide, January 2000
13
Audits:
Collection Agency Perspective
Application of these requirements apply to:
Campus Based Programs
Perkins Loans
Work Study
SEOG
Other
Pell
FFELP
Direct Loan Program
14
Audits:
Collection Agency Perspective
Areas of Compliance & Control Assertions:
Institutional Eligibility
Reporting
Student Eligibility
Disbursements
Refunds
Cash Management
Close-Out Examination
Perkins Collection/Due Diligence
Servicer Eligibility
Servicer Systems and Internal Controls
15
Audits:
Collection Agency Perspective
How does the audit process work:
Servicer provides assertions to compliance and internal
controls over compliance
Auditor expresses an opinion on these assertions
16
Audits:
Collection Agency Perspective
Initiating the Audit:
Servicer- determine what assertions (compliance elements)
apply to the contracts managed
Servicer- develop a responsibility matrix associated with
these assertions (who, what, where, when, how, why…)
Audits:
Collection Agency Perspective
Example-
Collection Agency Servicing on Perkins Loans
Compliance is subject to provisions found in 34 CFR 674
(Principally 674.45-48)
Audits:
Collection Agency Perspective
Potential Areas to Review-
1. Type of Placement (1st or 2nd referral)
2. Is litigation performed?
3. Who assesses collection costs to balance?
4. Are compromise offers calculated and presented?
5. Does servicer qualify accounts for consolidation?
6. Management of funds (trust account deposits and remittances)
Audits:
Collection Agency Perspective
Potential Areas to Review (continued):
7. Reporting of account status (at least quarterly)
8. Fidelity bonding requirements
9. Contract Review (required language)
Audits:
Collection Agency Perspective
Example- Collection Agency Servicing the Collection of
Guarantee Agency or FFELP Lender Funds
Compliance Subject to the Provisions of 34CFR Section 682
Audits:
Collection Agency Perspective
§ 682.416 Requirements for third-party servicers and lenders contracting with third-party servicers
(a) Standards of Administrative Capability
1. Provides Services & Administrative Resources
2. Business Systems (Automated & Manual)
3. Adequate & Knowledgeable Personnel
Audits:
Collection Agency Perspective
§ 682.416 Requirements for third-party servicers and lenders
contracting with third-party servicers
1. b) Standards of Financial Responsibility
2. Applies the provisions of 34 CFR 668.15(b) (1)–(4) and
(6)–(9) to determine that a third-party servicer is
financially responsible
Audits:
Collection Agency Perspective
How does this impact the Audit?
1. Review contracts and determine services performed
2. Incorporate a Financial Audit into Compliance Audit
Audits:
Collection Agency Perspective
What Provisions are Subject to Review?
34CFR 682.410
34CFR 682.411
34 CFR 682.405
34 CFR 682 Appendix C
Audits:
Collection Agency Perspective
Key Steps to Compliance:
Develop responsibility matrix over each of the defined areas
Insure that there is access to information that demonstrates
these defined areas
Audits:
Collection Agency Perspective
The Audit is Due:
Within six months of the completion of the entity’s fiscal
year
Audits:
Collection Agency Perspective
FISMA Audit- what is it?
Is defined in the E-Government Act of 2002 (Public Law 107-347),
Title III, Federal Information Security Management Act (FISMA), which
is governed by the National Institute of Standards and Technologies
(NIST). FISMA requires US federal agencies and their contractors to
implement and execute controls that are based on security and systems
industry best practices.
30
Audits:
Collection Agency Perspective
In order to obtain a federal contract, organization must have
completed an independent review of their security systems.
Upon acceptance of the review, the organization receives an
Authority to Operate:
3 Year Review
Continuing surveillance
31
Audits:
Collection Agency Perspective
Under FISMA and Organization is required to:
Develop an annual System Security Plan, based on 17 control families.
Conduct annual controls Self-Assessment (audit and testing).
Participate in an independent, 3rd party controls audit every three years.
Annually test incident response and contingency plan controls.
Provide Security Awareness Training on a semi-annual basis to all Associates.
Conduct quarterly internal and external network and system scans to identify
vulnerability areas.
Draft and revise a monthly Plan of Actions & Milestones (POAM) to address control
deficiencies in a timely and responsive manner.
Proactively manage security and systems configuration, patch application.
32
Audits:
Collection Agency Perspective
Critical Determinations:
1. FIPS 199 Categorization of Data
High: Data that could result in Death (CIA/FBI/Department of
Defense)
Moderate: Privacy Related Data (PCI)
Low: Not significant
2. Assessment of the Severity of Data Managed
This leads to the development of the overall governing document
33
Audits:
Collection Agency Perspective
Two Key Elements:
1. System Security Plan (SSP)
- 80 Page Template that Contains Control Groups (17
Families/174 Control Elements)
2. System Boundary Document
- Where data resides and what impacts the Government
Data
34
Audits:
Collection Agency Perspective
Control Families:
35
FISMA Controls
Access Control (15)
Awareness & Training (4)
Audit and Accountability (11)
Security Assessment and Authorization (6)
Configuration Management (9)
Contingency Planning (9)
Identification and Authentication (8)
Incident Response (8)
Maintenance (6)
Media Protection (6)
Physical and Environmental Protection (18)
Planning (5)
Personnel Security (8)
Risk Assessment (5)
System and Services Acquisition (11)
System and Communications Protection (20)
System and Information Integrity (12)
Audits:
Collection Agency Perspective
Challenges of Both Audit Processes:
Time
Scope
Resources
Mitigation of Potential Findings (i.e. adequate logging of
security events)
Maintenance of Documentation (Updating of
Policies/Procedures/Controls)
36
Audits:
Collection Agency Perspective
Benefits of Both Audit Processes:
Independent Judgment that Organization maintains the
appropriate security levels, protection and compliant
procedures to serve the publics interest
Audits predicate the application of best business practices
surrounding internal controls and procedural documentation
37
Audits:
Collection Agency Perspective Internal Governance:
Quality Control Division
Internal SOW
Federal Regulation
Client Compliance
Corporate Compliance
Risk Mitigation Committee- Reviews compliance findings from
QC and determines level of severity and remediation. All business
stakeholders represented
ISTF:- Information Security Task Force- Oversees the provision of the SSP and
company compliance within these provisions
38
39
Introduction:
Jennifer Walker Vice President, Internal Audit
Sallie Mae – General Revenue Corporation (GRC)
40
Discussion Objective & Topic:
The objective is to guide discussion of audit and compliance requirements for student financial services
offices and their service providers. More specifically:
o How should student financial services offices and their service providers best prepare for the variety of audits to
which they are subject and ultimately help ensure a positive outcome?
The primary topics discussed include:
o Risk Management: What is risk and how do we manage it?
o Common Thread: What do all audits have in common?
o Internal Controls Excellence: How does an internal controls program help make the audit
process easier?
o Lines of Defense: How can your Internal Audit and Compliance departments help contribute to a
positive audit outcome?
o Summary: Why everyone loves a good audit!
41
Risk Management:
What is a risk?
o The threat that an event, action, or non-action will adversely affect an organization’s ability to achieve its business
objectives and execute its strategies successfully
o Measure in terms of consequences and likelihood
How do we manage risk?
o Shared responsibility of individual lines of business and senior/executive management
o Depending on the size of your organization, the Board of Directors may serve in a risk oversight role
o Understand the risk and impact, and anticipate what could go wrong
o Establish a system of internal control
o Independent and objective evaluation and testing of controls by way of audits
What is an internal control?
o Internal controls can be described as any action taken by an organization to help enhance the likelihood that an
objective of the organization can be achieved
Importance of risk management and internal controls has increased significantly over
time as organizations have evolved and adapted with changes in the economy and
regulatory environment.
Good controls are good business!
42
Common Thread:
There are a variety of audits to which schools, servicers, and collection agencies that participate in
Federal Student Financial Assistance Programs are subject. For example:
o OMB A-133 Audit
o Federal Information Security Management Act (FISMA) Compliance Exam
o SSAE 16 or Service Organization Control (SOC) Reports (Types 1, 2, & 3)
o Compliance Attestation Audits
o Financial Statement Audits
While each of these audits is unique in purpose, scope, and objective, there is a common thread among
all. These audits seek to confirm “internal controls” are in place and reasonable to ensure:
o Financial statements are accurate and fairly presented
o Appropriate management and usage of federal funds
o Compliance with applicable federal and state laws and regulations
o Security and confidentiality of data
o Compliance with contracts and agreements
o Timely identification, reporting, and remediation of control issues
One internal control program will satisfy many requirements!
43
Internal Controls Excellence - Overview:
Organizations should establish a standard, repeatable internal controls program that sets forth
requirements for:
o Understanding and evaluating significant risks
o Designing and implementing internal controls to mitigate significant financial, operational, and compliance risks
o Testing and monitoring the operational effectiveness of the internal controls
o Documenting the internal controls and related business processes and systems
Sallie Mae and its subsidiaries (including GRC) have established an Internal Controls Excellence (ICE)
Program that:
o Promotes the importance of effectively managing risk and internal controls
o Enhances the internal control environment, focusing on operational, financial, and compliance controls
o Ensures compliance with applicable laws, regulations, and contract requirements
o Facilitates improvements in process and procedure documentation
o Helps satisfy audit requirements
ICE Program framework designed using the Internal Control – Integrated Framework
published by the Committee of Sponsoring Organizations (COSO) of the Treadway
Commission and the Control Objectives for Information and Related Technology
(COBIT) as established by the Information Systems Audit and Control Association
(ISACA) and the IT Governance Institute
44
Internal Controls Excellence – Methodology Highlights:
Foundation of the ICE program is the identification of critical business processes and the assignment of
an individual business process owner to each critical business process.
Process Owners are responsible for:
o Creation of and updates to critical process documentation
o Monitoring of internal controls to ensure effectiveness
o Execution of Management Self-Assessment testing
o Identification, reporting, and remediation of control gaps/issues
o Completing internal control certifications
Critical processes are those that carry significant risk from a financial, operational, or compliance
perspective.
o Significance determined giving consideration to materiality, volume, subjectivity, complexity, fraud risk, etc.
o Organized by major line of business or operational area (e.g., Accounting, Client Services/Reporting, Payment
Processing, IT general computing controls)
Critical processes are supported by critical business applications, which are defined as
those applications that drive important business decisions, record critical information,
or have a significant impact to business operations.
45
Internal Controls Excellence – Methodology Highlights: (continued)
For each critical process, documentation is created to capture the details of the process, the risks associated
with that process, and the key internal controls.
o Control Matrix: Comprehensive listing of the respective risks, the key control activities in place to mitigate each risk,
the control objective of that activity, and the evidence that exists to validate the control activity.
o Narrative: Supports the control matrix and provides a more detailed written description of the processes in place and
the controls throughout the process.
o Flowchart: Provides a visual overview of the process steps described in the narrative and identifies where in the
process the control activities identified in the control matrix occur.
Documentation is maintained in a centralized, easily accessible repository.
Management Self-Assessment testing required twice a year on all critical processes and all key controls.
Results (including any exceptions) formally reported via certifications.
Quarterly and annual internal control certifications whereby Process Owners and senior management assert
to the design and operating effectiveness of the key controls within their critical processes.
Established ICE Program governance structure in place to:
o Monitor the status of significant control gaps/issues
o Provide program oversight
o Report to senior/executive management and the Audit Committee
46
Internal Controls Excellence – The Framework:
ICE Critical Processes - Overarching Framework
Financial Reporting Controls
Operational Controls
Compliance Controls
Management Self-
Assessment
(Key Control Testing)
Quarterly & Annual
Control Certifications
Sarbanes-Oxley
(SOX 404) &
Other SEC
requirements
SSAE 16,
Compliance
Attestation
FDCPA,
FCRA, TCPA,
& Other
Regulations
External parties
(Schools, States,
Agencies, &
Other Clients)
FISMA/
NIST
Continuous
Monitoring
Independent Audit Activities: Internal Audits, External Audits
Objective Audit Activities: Compliance Monitoring
47
Lines of Defense:
A culture focused on internal controls excellence supported by a standard, repeatable internal controls
program with regular management self-assessment testing gets you two-thirds of the way there. Other
functions (such as Internal Audit and Compliance) can help round out a company’s system of internal
control.
At Sallie Mae and GRC, our Internal Audit and Compliance groups work together to provide
comprehensive risk coverage, prepare and respond to regulatory scrutiny, and strengthen the internal
control environment through the following common objectives:
o Promote internal controls program
o Ensure risk is appropriately understood, communicated, and managed
o Facilitate design and implementation of internal controls to manage and decrease risk
o Track and monitor remediation of issues
Internal Audit and Compliance help identify potential control issues and improvement opportunities in
advance of external parties.
o Always better if someone on your own team identifies the issue first!
o Preparing for a review by Internal Audit or Compliance will help prepare for the real deal.
48
Summary:
Establishment of a standard, repeatable company-wide internal controls program facilitates achieving and
maintaining a strong control environment.
o Controls evaluated as part of audits should be incorporated into the program.
o Management ownership for design, implementation, and testing of key controls is paramount.
o Controls should be routinely evaluated and tested.
o Control documentation should be maintained and can be leveraged by many.
o Proactive discussion and escalation of significant risks and internal control gaps makes for an informed management
team.
Good controls are good business!
Groups such as Internal Audit and Compliance are on your side; not out to get you.
o Share the same goal of “passing” an audit
o Coordinate with the third party auditors
o Help prepare for the exam or assessment
o Identify control issues in advance of exam or assessment
Organizations are unique; a single approach will not work for all.
o Remember the common thread across all audits
o Self-test controls to uncover any skeletons before the auditors do
o Internal Audit and Compliance are your friends
o Everyone loves a good audit!
Questions and Contacts
Ruth Hoch, George Washington University
Jennifer Walker, Sallie Mae-GRC
Steve Recchia, Enterprise Recovery Systems, Inc.