Understanding Audits January 30 2012 1 Audits A

Understanding Audits January 30, 2012 1

Audits – A School Perspective Agenda 1. 2. 3. 4. 5. A-133 Organizing your resources for an audit You and your auditor Conducting the audit Findings and response

A-133 Definition: This annual audit is required for all organizations that receive grants or other awards in excess of $500, 000 from a federal agency. The specific rules for the audit are set by the Federal Office of Management and Budget. The focus of the audit is a financial report on all federal funds received and a report on our compliance with the rules and regulations of the granting agencies. The procedures utilized are applicable to most other audits.

Organizing for an Audit Using Web-Based Collaboration Software Single location for all data regarding a project, group or process Easy to share knowledge among a team (audit team, system implementation team, etc. ) Easy to search for data (by word, date, etc. ) Daily e-mail notifications for updated items, tasks and project status Access controls for editing, viewing or hiding Electronic site set up for such projects/areas as audits, topics of interest to the community (legislative, accounting, etc. ), training, tax return preparation Ability to create folders within folders-the audit site can have separate folders for the financial statement audit, the OMB A-133 audit, NCAA audit; those folders might contain folders for financial aid samples, grants samples, loan samples, draw samples, minutes of meetings, notes for next year, deadlines, etc. Files can be accessed by individuals at different locations (multiple campuses)

Organizing for an Audit Document management system Electronic repository designed for business continuity/archival Scan paper documents or import electronic documents Allows for better record management (easy to retrieve for auditors when needed, easy to delete when retention period is over)

Organizing for an Audit COMPLIANCE 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Purpose Description Date Requested Selections for Federal Aid Recipient Audit Report for FY 12. Student File (Detailed listing of all students receiving Federal Testing Aid (Title IV). The detail should include the student name, identifying # (other than SSN), Amount of each type of aid received). - Pw. C to make a selection Selections for A detail listing of the Students who received Title Student File VII aid during FY 12 Testing Student File Access to Student Files and Banner system for file Testing testing Cash Detailed listing of all draw downs by month and Management program (Pw. C to make selections for testing) Cash Access to Supporting Memo's to UAS for Management drawdowns of federal funds (Award Balance Report/Activity Report for Pell, FSEOG and FWS) Matching Final Funding 2011 -2012 authorization form/Final Federal Award Letter Matching/Rep Copy of the Draft FISAP and support orting Matching Annual Operating Reports for PCL and LDS and support Federal Work Access to the Employer Files for all students Study selected for FWS testing Federal Work Access to time sheets for all students selected for Study FWS testing Federal Work Access to the employment authorization forms for Study all students selected for FWS Federal Work Please provide a listing of all outside organizations Study the University uses to employ Federal Work Study students. Institutional Access to the Annual Campus Security Report Eligibility Institutional Copy of the Most Recent Eligibility and Certification Eligibility Approval Report, if updated Institutional Program Participation Agreement, if updated Eligibility Date Provided by Received Status Comments N/A Online N/A N/A Completed Provide link here. Completed Previously provided copy applicable through 2013

You and Your Auditor Your responsibilities to your auditor include: Provide a comfortable space. Show them around, introduce them to staff they may see. Make sure they have access to what they need. Check in periodically during the day. Be available. A happy auditor is better than an unhappy auditor…

Conducting the Audit Provide reports to the auditors for the selection of samples. If possible, give them a couple of weeks lead time. 2. Once sample is pulled, you then have time to review to see if there are likely to be any issues. 3. Coordinate with other offices they might need to visit: i. e. career center for work study, law school and med school financial aid offices. 4. Train your auditor so they know how to search. Find out specifically what they need. 1.

Findings and Response 1. Ask your auditor to review the first instance that appears incorrect. They may be misinterpreting the data. 2. If something needs to be corrected, do it right then. They will note the date it is fixed. You will need to provide a response to the finding, however. 3. If it is not an issue, make sure you show why not. 4. Use any findings to help your operation: a. b. c. Training Resources Organizational Structure

Audits: Collection Agency Perspective Two Audit Types: v Compliance Attestation v FISMA (Federal Information Security Management Act) 10

Audits: Collection Agency Perspective Compliance Attestation Audit Regulatory Requirement for Management of Title IV Funds: 34 CFR 668. 23 - “a third party servicer shall have performed at least annually a compliance audit that meets the compliance audit standard for institutions of the servicers administration of the participation in Title IV programs 11

Audits: Collection Agency Perspective What is the impact of this requirement on institutions and their servicers: 12 1. Institutions- This is an extension of their program compliance. Servicers fulfill or supplement required program activity for institutions. 2. Servicers- Verifies that we fulfill our obligations on behalf of contracts performed.

Audits: Collection Agency Perspective Initial Guidance for Servicers: Servicer/Institution Audit Guide- Amended July 1997 Amended again January 2000 Guarantor/Servicer Audit Guide, January 2000 13

Audits: Collection Agency Perspective v Application of these requirements apply to: § Campus Based Programs § Perkins Loans § Work Study § SEOG v Other § Pell § FFELP § Direct Loan Program 14

Audits: Collection Agency Perspective Areas of Compliance & Control Assertions: Institutional Eligibility Reporting Student Eligibility Disbursements Refunds Cash Management Close-Out Examination Perkins Collection/Due Diligence Servicer Eligibility Servicer Systems and Internal Controls 15

Audits: Collection Agency Perspective How does the audit process work: Servicer provides assertions to compliance and internal controls over compliance Auditor expresses an opinion on these assertions 16

Audits: Collection Agency Perspective Initiating the Audit: Servicer- determine what assertions (compliance elements) apply to the contracts managed Servicer- develop a responsibility matrix associated with these assertions (who, what, where, when, how, why…)

Audits: Collection Agency Perspective Examplev Collection Agency Servicing on Perkins Loans v Compliance is subject to provisions found in 34 CFR 674 (Principally 674. 45 -48)

Audits: Collection Agency Perspective Potential Areas to Review 1. Type of Placement (1 st or 2 nd referral) 2. Is litigation performed? 3. Who assesses collection costs to balance? 4. Are compromise offers calculated and presented? 5. Does servicer qualify accounts for consolidation? 6. Management of funds (trust account deposits and remittances)

Audits: Collection Agency Perspective Potential Areas to Review (continued): 7. Reporting of account status (at least quarterly) 8. Fidelity bonding requirements 9. Contract Review (required language)

Audits: Collection Agency Perspective Example- Collection Agency Servicing the Collection of Guarantee Agency or FFELP Lender Funds Compliance Subject to the Provisions of 34 CFR Section 682

Audits: Collection Agency Perspective § 682. 416 Requirements for third-party servicers and lenders contracting with third-party servicers (a) Standards of Administrative Capability 1. 2. 3. Provides Services & Administrative Resources Business Systems (Automated & Manual) Adequate & Knowledgeable Personnel

Audits: Collection Agency Perspective § 682. 416 Requirements for third-party servicers and lenders contracting with third-party servicers 1. b) Standards of Financial Responsibility 2. Applies the provisions of 34 CFR 668. 15(b) (1)– (4) and (6)–(9) to determine that a third-party servicer is financially responsible

Audits: Collection Agency Perspective How does this impact the Audit? 1. 2. Review contracts and determine services performed Incorporate a Financial Audit into Compliance Audit

Audits: Collection Agency Perspective What Provisions are Subject to Review? 34 CFR 682. 410 34 CFR 682. 411 34 CFR 682. 405 34 CFR 682 Appendix C

Audits: Collection Agency Perspective

Audits: Collection Agency Perspective Key Steps to Compliance: Develop responsibility matrix over each of the defined areas Insure that there is access to information that demonstrates these defined areas

Audits: Collection Agency Perspective The Audit is Due: Within six months of the completion of the entity’s fiscal year

Audits: Collection Agency Perspective FISMA Audit- what is it? Is defined in the E-Government Act of 2002 (Public Law 107 -347), Title III, Federal Information Security Management Act (FISMA), which is governed by the National Institute of Standards and Technologies (NIST). FISMA requires US federal agencies and their contractors to implement and execute controls that are based on security and systems industry best practices. 30

Audits: Collection Agency Perspective In order to obtain a federal contract, organization must have completed an independent review of their security systems. Upon acceptance of the review, the organization receives an Authority to Operate: 3 Year Review Continuing surveillance 31

Audits: Collection Agency Perspective Under FISMA and Organization is required to: Develop an annual System Security Plan, based on 17 control families. Conduct annual controls Self-Assessment (audit and testing). Participate in an independent, 3 rd party controls audit every three years. Annually test incident response and contingency plan controls. Provide Security Awareness Training on a semi-annual basis to all Associates. Conduct quarterly internal and external network and system scans to identify vulnerability areas. Draft and revise a monthly Plan of Actions & Milestones (POAM) to address control deficiencies in a timely and responsive manner. Proactively manage security and systems configuration, patch application. 32

Audits: Collection Agency Perspective Critical Determinations: 1. FIPS 199 Categorization of Data 33 High: Data that could result in Death (CIA/FBI/Department of Defense) Moderate: Privacy Related Data (PCI) Low: Not significant 2. Assessment of the Severity of Data Managed This leads to the development of the overall governing document

Audits: Collection Agency Perspective Two Key Elements: 1. System Security Plan (SSP) - 80 Page Template that Contains Control Groups (17 Families/174 Control Elements) 2. System Boundary Document - Where data resides and what impacts the Government Data 34

Audits: Collection Agency Perspective Control Families: FISMA Controls Access Control (15) Awareness & Training (4) Audit and Accountability (11) Security Assessment and Authorization (6) Configuration Management (9) Contingency Planning (9) Identification and Authentication (8) Incident Response (8) Maintenance (6) Media Protection (6) Physical and Environmental Protection (18) Planning (5) Personnel Security (8) Risk Assessment (5) System and Services Acquisition (11) System and Communications Protection (20) System and Information Integrity (12) 35

Audits: Collection Agency Perspective Challenges of Both Audit Processes: Time Scope Resources Mitigation of Potential Findings (i. e. adequate logging of security events) Maintenance of Documentation (Updating of Policies/Procedures/Controls) 36

Audits: Collection Agency Perspective Benefits of Both Audit Processes: Independent Judgment that Organization maintains the appropriate security levels, protection and compliant procedures to serve the publics interest Audits predicate the application of best business practices surrounding internal controls and procedural documentation 37

Audits: Collection Agency Perspective v Internal Governance: v Quality Control Division Internal SOW Federal Regulation Client Compliance Corporate Compliance v Risk Mitigation Committee- Reviews compliance findings from QC and determines level of severity and remediation. All business stakeholders represented v ISTF: - Information Security Task Force- Oversees the provision of the SSP and company compliance within these provisions 38

Introduction: Jennifer Walker Vice President, Internal Audit Sallie Mae – General Revenue Corporation (GRC) 39

Discussion Objective & Topic: 40 Ø The objective is to guide discussion of audit and compliance requirements for student financial services offices and their service providers. More specifically: o How should student financial services offices and their service providers best prepare for the variety of audits to which they are subject and ultimately help ensure a positive outcome? Ø The primary topics discussed include: o Risk Management: What is risk and how do we manage it? o Common Thread: What do all audits have in common? o Internal Controls Excellence: How does an internal controls program help make the audit process easier? o Lines of Defense: How can your Internal Audit and Compliance departments help contribute to a positive audit outcome? o Summary: Why everyone loves a good audit!

Risk Management: Ø o o o o Shared responsibility of individual lines of business and senior/executive management Depending on the size of your organization, the Board of Directors may serve in a risk oversight role Understand the risk and impact, and anticipate what could go wrong Establish a system of internal control Independent and objective evaluation and testing of controls by way of audits What is an internal control? o 41 The threat that an event, action, or non-action will adversely affect an organization’s ability to achieve its business objectives and execute its strategies successfully Measure in terms of consequences and likelihood How do we manage risk? o Ø What is a risk? Internal controls can be described as any action taken by an organization to help enhance the likelihood that an objective of the organization can be achieved Ø Importance of risk management and internal controls has increased significantly over time as organizations have evolved and adapted with changes in the economy and regulatory environment. Ø Good controls are good business!

Common Thread: Ø There a variety of audits to which schools, servicers, and collection agencies that participate in Federal Student Financial Assistance Programs are subject. For example: o o o Ø While each of these audits is unique in purpose, scope, and objective, there is a common thread among all. These audits seek to confirm “internal controls” are in place and reasonable to ensure: o o o Ø 42 OMB A-133 Audit Federal Information Security Management Act (FISMA) Compliance Exam SSAE 16 or Service Organization Control (SOC) Reports (Types 1, 2, & 3) Compliance Attestation Audits Financial Statement Audits Financial statements are accurate and fairly presented Appropriate management and usage of federal funds Compliance with applicable federal and state laws and regulations Security and confidentiality of data Compliance with contracts and agreements Timely identification, reporting, and remediation of control issues One internal control program will satisfy many requirements!

Internal Controls Excellence - Overview: Ø Organizations should establish a standard, repeatable internal controls program that sets forth requirements for: o o Ø Sallie Mae and its subsidiaries (including GRC) have established an Internal Controls Excellence (ICE) Program that: o o o Ø 43 Understanding and evaluating significant risks Designing and implementing internal controls to mitigate significant financial, operational, and compliance risks Testing and monitoring the operational effectiveness of the internal controls Documenting the internal controls and related business processes and systems Promotes the importance of effectively managing risk and internal controls Enhances the internal control environment, focusing on operational, financial, and compliance controls Ensures compliance with applicable laws, regulations, and contract requirements Facilitates improvements in process and procedure documentation Helps satisfy audit requirements ICE Program framework designed using the Internal Control – Integrated Framework published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission and the Control Objectives for Information and Related Technology (COBIT) as established by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute

Internal Controls Excellence – Methodology Highlights: Ø Foundation of the ICE program is the identification of critical business processes and the assignment of an individual business process owner to each critical business process. Ø Process Owners are responsible for: o o o Ø Critical processes are those that carry significant risk from a financial, operational, or compliance perspective. o o Ø 44 Creation of and updates to critical process documentation Monitoring of internal controls to ensure effectiveness Execution of Management Self-Assessment testing Identification, reporting, and remediation of control gaps/issues Completing internal control certifications Significance determined giving consideration to materiality, volume, subjectivity, complexity, fraud risk, etc. Organized by major line of business or operational area (e. g. , Accounting, Client Services/Reporting, Payment Processing, IT general computing controls) Critical processes are supported by critical business applications, which are defined as those applications that drive important business decisions, record critical information, or have a significant impact to business operations.

Internal Controls Excellence – Methodology Highlights: (continued) Ø For each critical process, documentation is created to capture the details of the process, the risks associated with that process, and the key internal controls. Control Matrix: Comprehensive listing of the respective risks, the key control activities in place to mitigate each risk, the control objective of that activity, and the evidence that exists to validate the control activity. Narrative: Supports the control matrix and provides a more detailed written description of the processes in place and the controls throughout the process. Flowchart: Provides a visual overview of the process steps described in the narrative and identifies where in the process the control activities identified in the control matrix occur. o o o 45 Ø Documentation is maintained in a centralized, easily accessible repository. Ø Management Self-Assessment testing required twice a year on all critical processes and all key controls. Results (including any exceptions) formally reported via certifications. Ø Quarterly and annual internal control certifications whereby Process Owners and senior management assert to the design and operating effectiveness of the key controls within their critical processes. Ø Established ICE Program governance structure in place to: o Monitor the status of significant control gaps/issues o Provide program oversight o Report to senior/executive management and the Audit Committee

Internal Controls Excellence – The Framework: ICE Critical Processes - Overarching Framework Management Self. Assessment (Key Control Testing) Financial Reporting Controls Operational Controls Quarterly & Annual Control Certifications Compliance Controls Sarbanes-Oxley (SOX 404) & Other SEC requirements SSAE 16, Compliance Attestation FDCPA, FCRA, TCPA, & Other Regulations External parties (Schools, States, Agencies, & Other Clients) Independent Audit Activities: Internal Audits, External Audits Objective Audit Activities: Compliance Monitoring 46 FISMA/ NIST Continuous Monitoring

Lines of Defense: Ø A culture focused on internal controls excellence supported by a standard, repeatable internal controls program with regular management self-assessment testing gets you two-thirds of the way there. Other functions (such as Internal Audit and Compliance) can help round out a company’s system of internal control. Ø At Sallie Mae and GRC, our Internal Audit and Compliance groups work together to provide comprehensive risk coverage, prepare and respond to regulatory scrutiny, and strengthen the internal control environment through the following common objectives: o o Ø Internal Audit and Compliance help identify potential control issues and improvement opportunities in advance of external parties. o o 47 Promote internal controls program Ensure risk is appropriately understood, communicated, and managed Facilitate design and implementation of internal controls to manage and decrease risk Track and monitor remediation of issues Always better if someone on your own team identifies the issue first! Preparing for a review by Internal Audit or Compliance will help prepare for the real deal.

Summary: Ø Establishment of a standard, repeatable company-wide internal controls program facilitates achieving and maintaining a strong control environment. Controls evaluated as part of audits should be incorporated into the program. Management ownership for design, implementation, and testing of key controls is paramount. Controls should be routinely evaluated and tested. Control documentation should be maintained and can be leveraged by many. Proactive discussion and escalation of significant risks and internal control gaps makes for an informed management team. o o o Ø Good controls are good business! Ø Groups such as Internal Audit and Compliance are on your side; not out to get you. Share the same goal of “passing” an audit Coordinate with the third party auditors Help prepare for the exam or assessment Identify control issues in advance of exam or assessment o o Ø 48 Organizations are unique; a single approach will not work for all. o Remember the common thread across all audits o Self-test controls to uncover any skeletons before the auditors do o Internal Audit and Compliance are your friends o Everyone loves a good audit!

Questions and Contacts Ruth Hoch, George Washington University rhoch@gwu. edu Jennifer Walker, Sallie Mae-GRC jennifer. walker@salliemae. com Steve Recchia, Enterprise Recovery Systems, Inc. srecchia@ersinc. com