understanding audits - coheao · understanding audits 1 . ... applies the provisions of 34 cfr...

January 30, 2012

Understanding Audits

1

Audits – A School Perspective

Agenda

1. A-133

2. Organizing your resources for an audit

3. You and your auditor

4. Conducting the audit

5. Findings and response

A-133 Definition:

This annual audit is required for all organizations that receive

grants or other awards in excess of $500,000 from a federal

agency. The specific rules for the audit are set by the Federal

Office of Management and Budget. The focus of the audit is a

financial report on all federal funds received and a report on

our compliance with the rules and regulations of the granting

agencies.

The procedures utilized are applicable to most other audits.

Organizing for an Audit Using Web-Based Collaboration Software

Single location for all data regarding a project, group or process

Easy to share knowledge among a team (audit team, system implementation team, etc.)

Easy to search for data (by word, date, etc.)

Daily e-mail notifications for updated items, tasks and project status

Access controls for editing, viewing or hiding

Electronic site set up for such projects/areas as audits, topics of interest to the community (legislative, accounting, etc.), training, tax return preparation

Ability to create folders within folders-the audit site can have separate folders for the financial statement audit, the OMB A-133 audit, NCAA audit; those folders might contain folders for financial aid samples, grants samples, loan samples, draw samples, minutes of meetings, notes for next year, deadlines, etc.

Files can be accessed by individuals at different locations (multiple campuses)

Organizing for an Audit Document management system

Electronic repository designed for business continuity/archival

Scan paper documents or import electronic documents

Allows for better record management (easy to retrieve for auditors when needed,

easy to delete when retention period is over)

Organizing for an Audit COMPLIANCE Purpose Description Date Requested Date

Received

Provided by Status Comments

1 Selections for

Student File

Testing

Federal Aid Recipient Audit Report for FY12.

(Detailed listing of all students receiving Federal

Aid (Title IV). The detail should include the student

name, identifying # (other than SSN), Amount of

each type of aid received). - PwC to make a

selection

2 Selections for

Student File

Testing

A detail listing of the Students who received Title

VII aid during FY12

3 Student File

Testing

Access to Student Files and Banner system for file

testing

4 Cash

Management

Detailed listing of all draw downs by month and

program (PwC to make selections for testing)

5 Cash

Management

Access to Supporting Memo's to UAS for

drawdowns of federal funds (Award Balance

Report/Activity Report for Pell, FSEOG and FWS)

6 Matching Final Funding 2011-2012 authorization form/Final

Federal Award Letter

7 Matching/Rep

orting

Copy of the Draft FISAP and support

8 Matching Annual Operating Reports for PCL and LDS and

support

9 Federal Work

Study

Access to the Employer Files for all students

selected for FWS testing

10 Federal Work

Study

Access to time sheets for all students selected for

FWS testing

11 Federal Work

Study

Access to the employment authorization forms for

all students selected for FWS

12 Federal Work

Study

Please provide a listing of all outside organizations

the University uses to employ Federal Work Study

students.

13 Institutional

Eligibility

Access to the Annual Campus Security Report N/A N/A Online Completed Provide link here.

14 Institutional

Eligibility

Copy of the Most Recent Eligibility and Certification

Approval Report, if updated

N/A N/A Completed Previously provided copy

applicable through 2013

15 Institutional

Eligibility

Program Participation Agreement, if updated N/A N/A Completed Previously provided copy

applicable through 2013

You and Your Auditor

Your responsibilities to your auditor include: Provide a comfortable space.

Show them around, introduce them to staff they may see.

Make sure they have access to what they need.

Check in periodically during the day.

Be available.

A happy auditor is better than an unhappy auditor…

Conducting the Audit 1. Provide reports to the auditors for the selection of

samples. If possible, give them a couple of weeks lead time.

2. Once sample is pulled, you then have time to review to see if there are likely to be any issues.

3. Coordinate with other offices they might need to visit: i.e. career center for work study, law school and med school financial aid offices.

4. Train your auditor so they know how to search. Find out specifically what they need.

Findings and Response 1. Ask your auditor to review the first instance that appears

incorrect. They may be misinterpreting the data.

2. If something needs to be corrected, do it right then. They will note the date it is fixed. You will need to provide a response to the finding, however.

3. If it is not an issue, make sure you show why not.

4. Use any findings to help your operation: a. Training

b. Resources

c. Organizational Structure

Audits:

Collection Agency Perspective

Two Audit Types:

Compliance Attestation

FISMA

(Federal Information Security Management Act)

10

Audits:


Compliance Attestation Audit

Regulatory Requirement for Management of

Title IV Funds:

34 CFR 668.23- “a third party servicer shall have performed at

least annually a compliance audit that meets the compliance

audit standard for institutions of the servicers administration of

the participation in Title IV programs

11

Audits:


What is the impact of this requirement on institutions and their servicers:

1. Institutions- This is an extension of their program compliance.

Servicers fulfill or supplement required program activity for

institutions.

2. Servicers- Verifies that we fulfill our obligations on behalf of

contracts performed.

12

Audits:


Initial Guidance for Servicers:

Servicer/Institution Audit Guide- Amended July 1997

Amended again January 2000

Guarantor/Servicer Audit Guide, January 2000

13

Audits:


Application of these requirements apply to:

Campus Based Programs

Perkins Loans

Work Study

SEOG

Other

Pell

FFELP

Direct Loan Program

14

Audits:


Areas of Compliance & Control Assertions:

Institutional Eligibility

Reporting

Student Eligibility

Disbursements

Refunds

Cash Management

Close-Out Examination

Perkins Collection/Due Diligence

Servicer Eligibility

Servicer Systems and Internal Controls

15

Audits:


How does the audit process work:

Servicer provides assertions to compliance and internal

controls over compliance

Auditor expresses an opinion on these assertions

16

Audits:


Initiating the Audit:

Servicer- determine what assertions (compliance elements)

apply to the contracts managed

Servicer- develop a responsibility matrix associated with

these assertions (who, what, where, when, how, why…)

Audits:


Example-

Collection Agency Servicing on Perkins Loans

Compliance is subject to provisions found in 34 CFR 674

(Principally 674.45-48)

Audits:


Potential Areas to Review-

1. Type of Placement (1st or 2nd referral)

2. Is litigation performed?

3. Who assesses collection costs to balance?

4. Are compromise offers calculated and presented?

5. Does servicer qualify accounts for consolidation?

6. Management of funds (trust account deposits and remittances)

Audits:


Potential Areas to Review (continued):

7. Reporting of account status (at least quarterly)

8. Fidelity bonding requirements

9. Contract Review (required language)

Audits:


Example- Collection Agency Servicing the Collection of

Guarantee Agency or FFELP Lender Funds

Compliance Subject to the Provisions of 34CFR Section 682

Audits:


§ 682.416 Requirements for third-party servicers and lenders contracting with third-party servicers

(a) Standards of Administrative Capability

1. Provides Services & Administrative Resources

2. Business Systems (Automated & Manual)

3. Adequate & Knowledgeable Personnel

Audits:


§ 682.416 Requirements for third-party servicers and lenders

contracting with third-party servicers

1. b) Standards of Financial Responsibility

2. Applies the provisions of 34 CFR 668.15(b) (1)–(4) and

(6)–(9) to determine that a third-party servicer is

financially responsible

Audits:


How does this impact the Audit?

1. Review contracts and determine services performed

2. Incorporate a Financial Audit into Compliance Audit

Audits:


What Provisions are Subject to Review?

34CFR 682.410

34CFR 682.411

34 CFR 682.405

34 CFR 682 Appendix C

Audits:


Audits:


Key Steps to Compliance:

Develop responsibility matrix over each of the defined areas

Insure that there is access to information that demonstrates

these defined areas

Audits:


The Audit is Due:

Within six months of the completion of the entity’s fiscal

year

Audits:


FISMA Audit- what is it?

Is defined in the E-Government Act of 2002 (Public Law 107-347),

Title III, Federal Information Security Management Act (FISMA), which

is governed by the National Institute of Standards and Technologies

(NIST). FISMA requires US federal agencies and their contractors to

implement and execute controls that are based on security and systems

industry best practices.

30

Audits:


In order to obtain a federal contract, organization must have

completed an independent review of their security systems.

Upon acceptance of the review, the organization receives an

Authority to Operate:

3 Year Review

Continuing surveillance

31

Audits:


Under FISMA and Organization is required to:

Develop an annual System Security Plan, based on 17 control families.

Conduct annual controls Self-Assessment (audit and testing).

Participate in an independent, 3rd party controls audit every three years.

Annually test incident response and contingency plan controls.

Provide Security Awareness Training on a semi-annual basis to all Associates.

Conduct quarterly internal and external network and system scans to identify

vulnerability areas.

Draft and revise a monthly Plan of Actions & Milestones (POAM) to address control

deficiencies in a timely and responsive manner.

Proactively manage security and systems configuration, patch application.

32

Audits:


Critical Determinations:

1. FIPS 199 Categorization of Data

High: Data that could result in Death (CIA/FBI/Department of

Defense)

Moderate: Privacy Related Data (PCI)

Low: Not significant

2. Assessment of the Severity of Data Managed

This leads to the development of the overall governing document

33

Audits:


Two Key Elements:

1. System Security Plan (SSP)

- 80 Page Template that Contains Control Groups (17

Families/174 Control Elements)

2. System Boundary Document

- Where data resides and what impacts the Government

Data

34

Audits:


Control Families:

35

FISMA Controls

Access Control (15)

Awareness & Training (4)

Audit and Accountability (11)

Security Assessment and Authorization (6)

Configuration Management (9)

Contingency Planning (9)

Identification and Authentication (8)

Incident Response (8)

Maintenance (6)

Media Protection (6)

Physical and Environmental Protection (18)

Planning (5)

Personnel Security (8)

Risk Assessment (5)

System and Services Acquisition (11)

System and Communications Protection (20)

System and Information Integrity (12)

Audits:


Challenges of Both Audit Processes:

Time

Scope

Resources

Mitigation of Potential Findings (i.e. adequate logging of

security events)

Maintenance of Documentation (Updating of

Policies/Procedures/Controls)

36

Audits:


Benefits of Both Audit Processes:

Independent Judgment that Organization maintains the

appropriate security levels, protection and compliant

procedures to serve the publics interest

Audits predicate the application of best business practices

surrounding internal controls and procedural documentation

37

Audits:

Collection Agency Perspective Internal Governance:

Quality Control Division

Internal SOW

Federal Regulation

Client Compliance

Corporate Compliance

Risk Mitigation Committee- Reviews compliance findings from

QC and determines level of severity and remediation. All business

stakeholders represented

ISTF:- Information Security Task Force- Oversees the provision of the SSP and

company compliance within these provisions

38

39

Introduction:

Jennifer Walker Vice President, Internal Audit

Sallie Mae – General Revenue Corporation (GRC)

40

Discussion Objective & Topic:

The objective is to guide discussion of audit and compliance requirements for student financial services

offices and their service providers. More specifically:

o How should student financial services offices and their service providers best prepare for the variety of audits to

which they are subject and ultimately help ensure a positive outcome?

The primary topics discussed include:

o Risk Management: What is risk and how do we manage it?

o Common Thread: What do all audits have in common?

o Internal Controls Excellence: How does an internal controls program help make the audit

process easier?

o Lines of Defense: How can your Internal Audit and Compliance departments help contribute to a

positive audit outcome?

o Summary: Why everyone loves a good audit!

41

Risk Management:

What is a risk?

o The threat that an event, action, or non-action will adversely affect an organization’s ability to achieve its business

objectives and execute its strategies successfully

o Measure in terms of consequences and likelihood

How do we manage risk?

o Shared responsibility of individual lines of business and senior/executive management

o Depending on the size of your organization, the Board of Directors may serve in a risk oversight role

o Understand the risk and impact, and anticipate what could go wrong

o Establish a system of internal control

o Independent and objective evaluation and testing of controls by way of audits

What is an internal control?

o Internal controls can be described as any action taken by an organization to help enhance the likelihood that an

objective of the organization can be achieved

Importance of risk management and internal controls has increased significantly over

time as organizations have evolved and adapted with changes in the economy and

regulatory environment.

Good controls are good business!

42

Common Thread:

There are a variety of audits to which schools, servicers, and collection agencies that participate in

Federal Student Financial Assistance Programs are subject. For example:

o OMB A-133 Audit

o Federal Information Security Management Act (FISMA) Compliance Exam

o SSAE 16 or Service Organization Control (SOC) Reports (Types 1, 2, & 3)

o Compliance Attestation Audits

o Financial Statement Audits

While each of these audits is unique in purpose, scope, and objective, there is a common thread among

all. These audits seek to confirm “internal controls” are in place and reasonable to ensure:

o Financial statements are accurate and fairly presented

o Appropriate management and usage of federal funds

o Compliance with applicable federal and state laws and regulations

o Security and confidentiality of data

o Compliance with contracts and agreements

o Timely identification, reporting, and remediation of control issues

One internal control program will satisfy many requirements!

43

Internal Controls Excellence - Overview:

Organizations should establish a standard, repeatable internal controls program that sets forth

requirements for:

o Understanding and evaluating significant risks

o Designing and implementing internal controls to mitigate significant financial, operational, and compliance risks

o Testing and monitoring the operational effectiveness of the internal controls

o Documenting the internal controls and related business processes and systems

Sallie Mae and its subsidiaries (including GRC) have established an Internal Controls Excellence (ICE)

Program that:

o Promotes the importance of effectively managing risk and internal controls

o Enhances the internal control environment, focusing on operational, financial, and compliance controls

o Ensures compliance with applicable laws, regulations, and contract requirements

o Facilitates improvements in process and procedure documentation

o Helps satisfy audit requirements

ICE Program framework designed using the Internal Control – Integrated Framework

published by the Committee of Sponsoring Organizations (COSO) of the Treadway

Commission and the Control Objectives for Information and Related Technology

(COBIT) as established by the Information Systems Audit and Control Association

(ISACA) and the IT Governance Institute

44

Internal Controls Excellence – Methodology Highlights:

Foundation of the ICE program is the identification of critical business processes and the assignment of

an individual business process owner to each critical business process.

Process Owners are responsible for:

o Creation of and updates to critical process documentation

o Monitoring of internal controls to ensure effectiveness

o Execution of Management Self-Assessment testing

o Identification, reporting, and remediation of control gaps/issues

o Completing internal control certifications

Critical processes are those that carry significant risk from a financial, operational, or compliance

perspective.

o Significance determined giving consideration to materiality, volume, subjectivity, complexity, fraud risk, etc.

o Organized by major line of business or operational area (e.g., Accounting, Client Services/Reporting, Payment

Processing, IT general computing controls)

Critical processes are supported by critical business applications, which are defined as

those applications that drive important business decisions, record critical information,

or have a significant impact to business operations.

45

Internal Controls Excellence – Methodology Highlights: (continued)

For each critical process, documentation is created to capture the details of the process, the risks associated

with that process, and the key internal controls.

o Control Matrix: Comprehensive listing of the respective risks, the key control activities in place to mitigate each risk,

the control objective of that activity, and the evidence that exists to validate the control activity.

o Narrative: Supports the control matrix and provides a more detailed written description of the processes in place and

the controls throughout the process.

o Flowchart: Provides a visual overview of the process steps described in the narrative and identifies where in the

process the control activities identified in the control matrix occur.

Documentation is maintained in a centralized, easily accessible repository.

Management Self-Assessment testing required twice a year on all critical processes and all key controls.

Results (including any exceptions) formally reported via certifications.

Quarterly and annual internal control certifications whereby Process Owners and senior management assert

to the design and operating effectiveness of the key controls within their critical processes.

Established ICE Program governance structure in place to:

o Monitor the status of significant control gaps/issues

o Provide program oversight

o Report to senior/executive management and the Audit Committee

46

Internal Controls Excellence – The Framework:

ICE Critical Processes - Overarching Framework

Financial Reporting Controls

Operational Controls

Compliance Controls

Management Self-

Assessment

(Key Control Testing)

Quarterly & Annual

Control Certifications

Sarbanes-Oxley

(SOX 404) &

Other SEC

requirements

SSAE 16,

Compliance

Attestation

FDCPA,

FCRA, TCPA,

& Other

Regulations

External parties

(Schools, States,

Agencies, &

Other Clients)

FISMA/

NIST

Continuous

Monitoring

Independent Audit Activities: Internal Audits, External Audits

Objective Audit Activities: Compliance Monitoring

47

Lines of Defense:

A culture focused on internal controls excellence supported by a standard, repeatable internal controls

program with regular management self-assessment testing gets you two-thirds of the way there. Other

functions (such as Internal Audit and Compliance) can help round out a company’s system of internal

control.

At Sallie Mae and GRC, our Internal Audit and Compliance groups work together to provide

comprehensive risk coverage, prepare and respond to regulatory scrutiny, and strengthen the internal

control environment through the following common objectives:

o Promote internal controls program

o Ensure risk is appropriately understood, communicated, and managed

o Facilitate design and implementation of internal controls to manage and decrease risk

o Track and monitor remediation of issues

Internal Audit and Compliance help identify potential control issues and improvement opportunities in

advance of external parties.

o Always better if someone on your own team identifies the issue first!

o Preparing for a review by Internal Audit or Compliance will help prepare for the real deal.

48

Summary:

Establishment of a standard, repeatable company-wide internal controls program facilitates achieving and

maintaining a strong control environment.

o Controls evaluated as part of audits should be incorporated into the program.

o Management ownership for design, implementation, and testing of key controls is paramount.

o Controls should be routinely evaluated and tested.

o Control documentation should be maintained and can be leveraged by many.

o Proactive discussion and escalation of significant risks and internal control gaps makes for an informed management

team.

Good controls are good business!

Groups such as Internal Audit and Compliance are on your side; not out to get you.

o Share the same goal of “passing” an audit

o Coordinate with the third party auditors

o Help prepare for the exam or assessment

o Identify control issues in advance of exam or assessment

Organizations are unique; a single approach will not work for all.

o Remember the common thread across all audits

o Self-test controls to uncover any skeletons before the auditors do

o Internal Audit and Compliance are your friends

o Everyone loves a good audit!

Questions and Contacts

Ruth Hoch, George Washington University

[email protected]

Jennifer Walker, Sallie Mae-GRC

[email protected]

Steve Recchia, Enterprise Recovery Systems, Inc.

[email protected]

mailto:[email protected]



understanding audits - coheao · understanding audits 1 . ... applies the provisions of 34 cfr...

Documents