FSA: Top 10 Audit Findings, Plus IPEDS & Cybersecurity

Popular topics in higher education include audit and program review findings, IPEDS and cybersecurity breaches at higher education institutions.

Popular topics at FSA included the most common audit and program review findings, as well as discussion on cybersecurity in higher education and the ways colleges can secure systems and personal information against ransomware. Here are takeaways from Global on relevant topics for financial aid administrators from the FSA conference at the end of last year.

By Rick Cox

Top Audit and Program Review Findings: To determine how well colleges are complying with federal regulations under Title IV and the Higher Education Act, postsecondary institutions undergo audits each year. The Department of Education also conducts program reviews to ensure colleges are compliant with all requirements.

According to FSA, the top 10 audit findings are:
• Repeat Finding
• Student Status Reporting
• R2T4 Calculation Errors
• R2T4 Late Return
• Verification
• Credit Balance Deficiencies
• Qualified Auditor’s Opinion
• Pell Grant Overpayment/Underpayment
• G5 Expenditures Untimely or Incorrect
• Entrance/Exit Counseling

These are the same 10 findings for the past five years.

The top 10 Program Review findings are:
• Student Status Reporting
• R2T4 Calculation Errors
• Credit Balance Deficiencies
• Entrance/Exit Counseling
• Verification
• Crime Awareness Requirements Not Met
• Inaccurate Recordkeeping
• Bank Account – Federal Funds Not Identified
• Consumer Information

The shared findings from the two lists are:
• Student Status Reporting
• R2T4 Calculation Errors
• Verification
• Credit Balance Deficiencies
• Entrance/Exit Counseling

The General Accounting Office publishes The Green Book: Standards for Internal Control in the Federal Government, and schools can use this book as a guide to review their own internal controls to ensure administrative capability. The Green Book can be found at www.gao.gov/greenbook.

The Department of Education also suggests reading Volume 4, Appendix B, A School’s Financial Management Systems. This appendix includes a section on policies and procedures.

Improving IPEDS’ Student Financial Aid Survey: Timely and accurate completion of all surveys from IPEDS is mandatory for colleges that participate in federal financial assistance programs or are applicants for participation. COVID-19 reporting requirements for grants funded through the CARES Act should be:

• Counted as federal aid, not as Title IV aid
• Included in Parts A-C where specified in the survey; and
• Not include in Parts D & E or it will skew the net price calculations

Changes on IPEDS data collection for 2022-2023 through 2024-2025 are being submitted for approval through the Office of Management and Budget for clearance in early 2022. There will be a 60-day comment period and then comments will be reviewed. Any changes or revisions will be placed back out for another 30-day comment period before going to final version. If changes are approved, the college would start in 2023-2024 for the 2022-2023 aid year.

These changes for the Integrated Postsecondary Education Data System are motivated by the need for clarity in the process, to ensure data better aligns and to eliminate some out-of-date data metrics.

An additional resource to visit is airweb.org, the Association for Institutional Research’s website dedicated to higher education and data-informed decision-making.

Audit findings, news in data collection and cybersecurity are among some of the most-discussed topics in higher education in the last year.

FSA Partner Connect – Year One and What’s Next: FSA Partner Connect is the digital front door to access all information necessary for the management of Title IV administration by colleges or partners. Partners are defined as schools, third-party services, state agencies, accrediting agencies, third-party software provided and financial partners (guaranty agencies/servicers, federal and FFEL lenders/loan services and private collection agencies).

The features of FSA Partner Connect are:
• Knowledge Center, which replaced IFAP
• Federal Student Aid handbook
• Dashboard and profiles for partners
• Student view of StudentAid.gov
• Student, parent and borrowers accounts

FSA has noted a 12-point increase in satisfaction of users for the ease of searching the Knowledge Center since the conversion from IFAP.

Coming in summer 2022, the E-App process will be added on the FSA Partner Connect – Title IV Program Eligibility tab. This modernized version of the E-App will allow for smart logic (to catch errors), uploading of supporting documentation and digital signatures. In addition, the Third Party Servicer Data Form will be available electronically with digital signatures. If your E-App is processed through this new upcoming enhancement, you will be able to view and manage the process by statuses or comments added by the Department of Education. Training will be offered on the new tools and navigation so be on the lookout for the notice.

Cybersecurity and the Challenges Facing Financial Aid: The following is an overview of cybersecurity, including breaches in the education space, how to handle a breach, and the role and documented responsibilities colleges have in protection of student data.

There have been some large breaches in data security during 2020 in more than 1,700 schools, colleges and universities that were impacted by ransomware. The average cost of the attacks in higher education has been $447,000 per institution.

It was necessary for the Department of Education to focus on two areas as a priority for educational institutions. One aim was to improve student protection by focusing on best practices and communicating through outreach when these breaches occur. The second focus was to strengthen data protection and cybersecurity safeguards, such as creating a multi-factor authentication process coming within the year.

The biggest threats targeting the education space follow:
• Student direct deposit information. The goal is to redirect the financial aid funds to an attacker’s bank account
• A student’s Personally Identifiable Information for resell on the black market
• Encryption of a school’s system for ransom. Ransomware attacks have increased across the nation
• Targeting a university’s research and intellectual property. This has become a new target area
• Username and password theft. This can be dangerous when users have the same username and password for all accounts (your social media account becomes compromised and you use the same username and password for banking or work accounts)

As more colleges move to cloud-based storage, there may be an uptick in this type of security threat due to unsecured cloud databases.

The good news is that a significant downturn has occurred in issues of breach related to email and sending PII unsecured in attachments. Never send a password protected attachment containing PII in the same email as the password. The password should be in a separate email from the attachment.

It is important to understand what constitutes a breach, which is a person other than an authorized user accessing or potentially accessing PII and using data in an unauthorized manner. Technically, providing a student by accident with paperwork or an email that contains another student’s PII is a breach. In addition, the access granted to a college through the Program Participation Agreement could result in a breach if someone without approved access uses an approved person’s credentials to access NSLDS, COD or other systems.

Reporting a breach is not considered a negative situation since the goal is to assist and repair any issues.

If a breach occurs, a college should take the following action:

  1. Send an email to FSA_IHECyberCompliance@ed. gov or call the Education Security Operations Center at (202) 245-6550.

  2. Include the following information in your email:
    Date of breach (suspected or known)
    Impact of breach (number of records, etc.)
    Method of breach (accidental disclosure or hack)
    Point of contact for the college on Information Security, including email and direct phone number
    Remediation status (in process with necessary details, completed)
    Next steps, if applicable

  3. The college should report to FSA so FSA can work with the Institute of Higher Education to resolve the incident.

Under the Gramm-Leach-Bliley Act (GLBA) enacted in 1999, a framework regulates the protection of data security at colleges and requires colleges to provide students with information on the college’s privacy practices, about their opt-out rights and the implemented safeguards for security.

To ensure compliance with GLBA, colleges need to develop, implement and maintain a comprehensive importation security program, which should be available during an audit for testing and reporting purposes.

The most common audit findings related to GLBA requirements were:
• Unable to identify a point of contact
• Missing an incident plan (how, when and who to report the issues)
• Failure to perform a risk assessment

In the development and continued process improvement of your security plan, you may want to review resources from the Department of Education. Those include:

DCL: GEN-12 and GEN 15-18
FSA Handbook Volume 2 Chapter 7
FSA website at www.fsapartners.ed.gov/knowledge-center/topics/fsa-cybersecurity-announcements-and-guidance

Rick Cox is Global’s Executive Director of Regulatory Affairs and Compliance