UPDATED – QUESTIONS REMAIN ON RECENT COLLEGE CYBERSECURITY VULNERABILITIES

On July 17, the U.S. Department of Education’s Office of Federal Student Aid issued an Electronic Announcement regarding what they deemed an “active and ongoing exploitation” of a known vulnerability potential in some versions of Ellucian’s Banner software. According to FSA’s “Technology Security Alert, the vulnerability affects Ellucian Web Tailor versions 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4. Pointing to advisory bulletin by the National Institute of Standards and Technology (NIST), FSA reported that hackers may be able to breach the system through an institutional account and could then potentially use that access to set up “thousands of student fake student accounts”. The Department says that 62 colleges or universities have been identified which may be affected. Federal Student Aid’s Cyber Incident Team is working with institutions to identify if systems were impacted and to facilitate the necessary fixes. FSA asked institutions using Ellucian Banner to do the following:

  1. review the vulnerability details as provided in NIST advisory CVE-2019-8978;
  2. contact Ellucian to receive information needed to patch or upgrade affected systems; and
  3. respond immediately to the Department via email to both FSASchoolCyberSafety@ed.gov and CPSSAIG@ed.gov.
  • Include the following information in your email:
  • Institution’s Name
  • Information Technology (IT) Contact at Institution (Name, Email Address, Phone Number)

Ellucian has since pushed back on ED’s characterization of the nature of breach and its impact, stating that Banner’s potential software vulnerabilities, which were brought to light by both Ellucian and the National Institute of Standards and Technology in May, are unrelated to some of the other cybersecurity concerns outlined by ED. Ellucian said neither they nor ED have reason to suspect that a breach occurred as a result of the Banner software vulnerability. Schools using the impacted software should implement the system patch issued by Ellucian in May, if they have not already done so.

This is the second summer in a row that ED released a Technology Security Alert. In August of 2018, FSA released a warning about a malicious phishing campaign aimed at student email accounts. Officials cautioned that cybercriminals could change student account information including information such as direct deposit banking information which could be used to funnel student refunds and aid distributions into accounts controlled by the attackers. FSA offered this guidance to institutions:

How to protect IHEs: FSA strongly encourages IHEs to strengthen their cybersecurity posture through the use of two-factor or multi-factor authentication processes. These types of authentication rely on a combination of factors, for example, username and password combined with a PIN or security questions or access through a secure, designated device.

If you believe your institution has fallen victim to an attack, report the incident immediately to cpssaig@ed.gov and FSASchoolCyberSafety@ed.gov. Include the following:

  • Name of the institution
  • Date the incident occurred (if known)
  • Date the incident was discovered
  • Copy of the phishing email (if available)
  • Extent of the impact (number of students)
  • Remediation status (what has been done since discovery)
  • Institution point of contact

Suggested remediation steps if an institution falls victim to the attack:

  • Temporarily freeze refund requests until the scope of the incident can be known. Note, refunds must still be provided within regulatory guidelines which may require a change in how impacted IHEs issue refunds, e.g. issue paper checks.
  • Temporarily disable changes to direct deposits for refunds.
  • Block IP addresses observed in institution logs related to the attack.
  • Disable campus credentials or passwords for potentially affected students and require password resets.
  • Perform additional forensic analysis on server and application logs from recent weeks.
  • Notify all students, warning them of active phishing attempts and encourage them to be vigilant and careful about using links and entering personally identifiable information into websites.

UPDATED – On Tuesday August 6, the Department of Education released an updated Technology Security Alert regarding the vulnerability in Banner Web Tailor and Banner Enterprise Identity Services.

The Department dialed back their claims that Banner products were affected and instead point to vulnerabilities in “third-party software” being used as “front-end access points to the Ellucian Banner System and similar administrative tools”. The Department also confirmed what Ellucian has been saying all along – “To date, based on reports from targeted institutions, we have not found any instances where the Ellucian Banner System vulnerability has been exploited or is related to the issues described in the original alert.”

In an emailed statement from Ali Robinson, an Ellucian spokesperson, he said

“Research by the Department has found:

  • no instances where the known Banner vulnerability has been exploited or where it is related to the issues described in the original alert.
  • an industry-wide issue in which attackers use automation tools to submit fraudulent admission applications in order to obtain new student accounts.

Additionally, I should note that, Ellucian has conducted its own research and monitoring that has produced no evidence of any attempt to attack the known Banner vulnerability.”

The Department is advising institutions to  review any third-party front-end applications to ensure that they are not introducing unpatched vulnerabilities, or increasing the risk of potential future issues through automation attacks. The Department reccommends that insitutions implement human validation checks as part of their front-end portal submission process.

 

DOES YOUR SAP POLICY MAKE THE GRADE?

I’ve been spending a lot of time reading the latest batch of Final Program Review Determination letters released by ED last month. One thing is for sure, some people still don’t understand Satisfactory Academic Progress, otherwise known as SAP. So, this month I’m writing about SAP. After all, I wouldn’t want you to have problems like these schools did.

Whether it’s deficient policies or schools simply failing to administer their own policies correctly, SAP findings continue to be a top program review finding year after year. According to the Department, each year they’ve issued findings and liabilities to dozens of schools and colleges because of SAP issues. It’s problematic because since SAP is directly connected to students’ aid eligibility. Incorrect determinations of SAP and aid eligibility, whether by policy, or by inadequate monitoring, results in ineligible disbursements. Get busted for ineligible disbursements and you’ll literally pay for it. Liabilities related to SAP in Fiscal Year 2017 ranged from $25,000 on the low end (small proprietary school) to as much as $5.6MM (mid-sized public college).

In 2011, a package of rules known as the Program Integrity Regulations went into effect. The new regulations required schools to develop, publish, and apply reasonable standards for measuring whether a student is maintaining SAP in his or her educational program. These regulations created new minimum standards institutions must use when monitoring Satisfactory Academic Progress including specific qualitative and quantitative requirements which include requirements to define pace or progression and maximum timeframe. ED gives schools flexibility in choosing the frequency of evaluations and even in choosing whether to implement provisions for financial aid warning, probation, and appeals but these topics and others, need to be addressed by your school’s policies.

Unfortunately, some colleges haven’t fully implemented these requirements going on eight years after they took effect. It’s no surprise however that ED ranks “Failure to comply with the Program Integrity Regulations that went into effect on July 1, 2011” as one of the most common SAP findings from recent program reviews.

This finding can stand on its own as a common problem, but, it’s also an overarching finding which encompasses myriad underlying SAP issues. Knowledge is power, so here are some common pitfalls to avoid and some tips for making sure your Satisfactory Academic Progress policies and procedures are compliant.

  1. Failure to develop a policy that meets the minimum Title IV requirements.

The 2011 SAP regs, require institutions to incorporate several new elements into their SAP policy. In addition to specific qualitative and quantitative requirements, requirements to define pace and maximum timeframe, and provisions for financial aid warning, probation, and appeals, an institution’s SAP policy must describe how a student’s GPA and pace of completion are affected by incompletes, withdrawals, course repetitions and transfer credits. If your policy is missing any of these elements, it might not meet the minimum Title IV requirements leading to other administrative capability issues.

The SAP policy at the college that was assessed liabilities of $5.6MM didn’t comply with the 2011 SAP requirements. As a result, the school disbursed Title IV aid to students who had failed to make SAP under ED’s current standards, students who should have been deemed ineligible for further Title IV aid due to failing to make SAP. Not all SAP issues are as egregious or costly though.

  1. Applying a different policy than the official written SAP policy.

Prior to 2011 SAP requirements were less prescriptive and there were fewer limits on aid eligibility for students who failed to make the grade. Back then, SAP, although required for aid eligibility was viewed largely as an academic measurement and thus often the responsibility of a Dean or Department Chair to develop an institution’s academic policy and to monitor student progress. Even at schools that have updated SAP policies, old policies linger in some form and it’s important to make sure you follow your official SAP policy for Title IV purposes.

668.32 states that students are expected to maintain satisfactory academic progress in their course of study according to the institution’s published standards of satisfactory academic progress.

Yes, you have to publish your SAP policy.

Yes, you have to use the one that’s published.

No, your academic policy from 1998 won’t (likely) cut the mustard here.

Now that doesn’t mean that your school can’t have another policy; for instance, something like a policy on academic standing. It’s not uncommon for colleges to have such policies since they largely don’t impact aid eligibility and are typically applied to all students including those students who are not receiving aid. The key here is that your Title IV SAP policy must be at least “as strict or stricter than other school policies”.

Having a SAP policy “as strict or stricter than other school policies” refers to the actual measurements used to monitor qualitative and quantitative standards like GPA and pace of progression. That’s why it’s important to ensure that academic policies if they exist, aren’t confused with your Title IV SAP policies. Make sure you publish your official Title IV SAP policy and follow that one. Also, if your school publishes different SAP policies for different programs or categories, you must be sure to apply the correct policy consistently to students in that category or program.

  1. Misalignment of pace of progression and maximum timeframe.

The 2011 regulations capped financial aid eligibility for undergraduate programs at 150% of the published program length in credit hours. Graduate programs are generally free to define maximum timeframe based on the length of the program. And for clock hour schools, max time frame is expressed in weeks. It’s important that your policy specifies the pace at which students are expected to progress toward program completion. The maximum timeframe is used to determine the pace of completion.

Consider the standard example for aligning pace with maximum timeframe, a four-year degree program which requires 120 credits for completion. 120 x 150% = 180 attempted credits. This is your maximum timeframe. To calculate Pace, divide 120 by 180. 120/180 = 66.67% pace requirement (rounding is permissible, and this is commonly rounded to 67%).

Let’s say for the sake of argument that your institution requires more academic rigor, thus requiring stricter SAP standards than the minimum standards required by ED. That’s okay, but you must still define both pace and maximum time frame and make sure that the two are properly aligned to one another.

As your pace requirement increases above 67%, your maximum timeframe decreases from 150%.

Let’s say that your policy requires students to make 85% pace toward completion, the maximum timeframe must be something less than 150% of your published program length.

To calculate maximum time frame, first divide 100% scheduled length by the required pace.

In this case, 120 credits is the 100% scheduled length for a bachelor’s / 85% pace = 141 credits maximum timeframe.

To test this, reverse your arithmetic and divide 120 Credits by the 141 maximum time frame and you’ll get 85% pace.  120/141 = 85% pace.

Try it with your own pace and max timeframe to see if they are aligned properly. If the math doesn’t work, you may have a problem that needs fixing.

  1. Failure to properly monitor and/or document satisfactory academic progress.

This one shouldn’t need explaining, but this issue is all too common. One school was cited for problematic transcripts which failed to list students’ course work in conjunction with each payment period. That made it extremely difficult to determine if students were making SAP. Although the school did use a SAP evaluation form, the form only included check marks indicating that qualitative and quantitative progress was checked, but the school didn’t provide any substantiating documentation of what students’ progress was, couldn’t correlate it with a transcript or proof that the evaluation was done at the end of the payment period. Although this finding was eventually closed, it highlights the concern. The school was required to revise their SAP policy and provide a  detailed narrative and supporting documentation to ED to prove students’ eligibility. Not fun!

In another program review, ED found that an online college simply wasn’t monitoring SAP and was letting students continue to receive aid despite having failed SAP. The college had no evidence that it ever put students on warning or subject students to loss of aid. It turns out, the college also failed to notify students of changes in aid eligibility. When all was said and done, ED found the college made over $700,000.00 in ineligible disbursements and hit them with a hefty liability.

In another case, ED found that one small school’s SAP policy didn’t require monitoring of its students’ progress at the correct intervals for its clock hour programs. Specifically, the institution’s policy did not monitor SAP at the end of a payment period as required. ED also found that it did not apply the Financial Aid Warning status or the Probationary status correctly because the application of these statuses additionally did not correspond to the end of a payment period.

Instead the institution’s policy assessed SAP at strange intervals of 13.5 weeks, 27 weeks, 40.5 weeks and 54 weeks when it should have monitored SAP based on the midpoint of its academic year and scheduled weeks; at the end of 450 scheduled clock hours and 18 weeks (*the school noted they used scheduled hours for SAP). As a result, the institution was required to do a full SAP file review for the two most recently completed award years, revise and update their policy and repay nearly $27,000 in ineligible disbursements to ED. For a small school, even small liabilities can break the bank. And that was just for their SAP problems…

Don’t make the same mistakes and missteps as these schools did. Do and you’re asking for trouble. Regardless of whether your school hasn’t had a program review in 20 years, or you’re PPA is up for recertification soon, take some time to look at your SAP policy and related procedures to ensure they make the grade.

TOP 10 PROGRAM REVIEW FINDINGS OF 2018

Higher Ed Executives Financial Aid Consultants

TOP 10 PROGRAM REVIEW FINDINGS OF 2018

One of the functions of the U.S. Department of Education is to oversee the Federal Student Aid programs to ensure they are administered correctly and that institutions are meeting the FSA requirements for institutional eligibility, financial responsibility, and administrative capability.

School Participation Divisions review information about each title iv approved school from a variety of sources including accrediting agencies, state licensing boards and agencies, student complaints and of course, financial and compliance audits.

This information is evaluated by ED and FSA to assess potential risk to the FSA programs and if necessary, act to investigate a school. One of the ways ED does this is by conducting program reviews at schools that exhibit certain indications of problems or pose a potentially significant risk of failing to comply with the rules and regulations governing title iv participation.

Knowing what to watch out for can help you avoid compliance problems.

These findings represent data ED reported based on findings from Program Review audits and compliance examinations reports conducted by FSA and published in the last twelve months for fiscal year 2018.

  1. NSLDS Roster Reporting – Inaccurate/Untimely Reporting
  2. Crime Awareness Requirements Not Met
  3. Return of Title IV (R2T4) Calculation Errors
  4. Drug Abuse Prevention Requirements Not Met
  5. Student Credit Balance Deficiencies
  6. Consumer Information Requirements Not Met
  7. Verification Violations
  8. Entrance/Exit Counseling Deficiencies
  9. Inaccurate Recordkeeping
  10. Satisfactory Academic Progress Policy Not Adequately Developed/Monitored

Findings like these are preventable.

Higher Ed Executives provides colleges and universities with objective and confidential assessments that can help you uncover unknown compliance problems and improve title iv administrative and operational procedures and processes.

Our comprehensive assessments cover the full spectrum of FSA requirements for institutional eligibility, financial responsibility, and administrative capability.

Call us today for a free no obligation consultation and to find out how our assessments can work for you.

Call 203-836-4806

FSA IS PLANNING MULTIPLE SYSTEM OUTAGES DURING NOVEMBER

ICYMI – NOVEMBER SYSTEM OUTAGES

Throughout the first few weeks of November, there will be several planned outages impacting the availability of Federal Student Aid Systems. During these outages, government systems will be unavailable which could impact students applying for aid as well as schools’ ability to award, disburse and draw down title iv funds.

FSA ID SYSTEM OUTAGE – November 3-4, 2018 

From 11 p.m. Eastern time (ET) on Saturday, November 3, 2018, until 11 a.m. ET on Sunday, November 4, 2018, users will be unable to access functionality that requires an FSA ID on the websites and systems listed below. Users attempting to access an impacted website or system during this outage period will receive an error message informing them that the page cannot be found or that the site is unavailable due to maintenance.

  • Borrower Defense to Loan Repayment (customers may submit applications at StudentAid.gov/borrower-defense during the outage but will be unable to sign in with an FSA ID)
  • gov (users of the myStudentAid mobile app will also be unable to sign in with an FSA ID)
  • Federal Student Aid Feedback System (customers may submit feedback directly at feedback.studentaid.ed.gov during the outage but will be unable to sign in with an FSA ID)
  • FSA ID
  • National Student Loan Data System (NSLDS®) Student Access
  • gov My Federal Student Aid functionality
  • gov, including the Teacher Cancellation Low Income (TCLI) Directory (until Noon ET on Sunday, November 4, 2018)

G5 SYSTEM OUTAGE – November 10-19, 2018

All day Saturday, November 10, 2018 through 6 a.m. Eastern time (ET) on Monday, November 19, 2018, the G5 website will not be available. Schools will not be able to draw down or return funds during this period for the following Title IV Programs:

  • Campus-Based Programs
  • Federal Pell Grant (Pell Grant)
  • Iraq and Afghanistan Service Grant
  • Teacher Education Assistance for College and Higher Education Grant (TEACH Grant)
  • William D. Ford Federal Direct Loan (Direct Loan)

COD SYSTEM OUTAGE – November 10 – 19, 2018

All day Saturday, November 10, 2018 through 6 a.m. ET on Monday, November 19, 2018, the Common Origination and Disbursement (COD) System will accept Pell Grant, Iraq and Afghanistan Service Grant, TEACH Grant, and Direct Loan records. However, after 10 a.m. ET on Friday, November 9, 2018, Current Funding Level (CFL) changes (as a result of actual disbursements) and funding will not be processed by G5 until November 19, 2018.

All actual disbursements with a disbursement date from November 10th through November 16th must be received, and subsequently accepted, by the COD System no later than 10 a.m. ET on Friday, November 9, 2018, in order to generate the appropriate funding level increase prior to the outage. Disbursements submitted by the deadline but not subsequently accepted, disbursements submitted after the deadline, and disbursements with a disbursement date after November 16th will be processed and funded after G5 re-opens.

Note: Generally, schools that submit records by the 10 a.m. ET deadline on November 9th will be able to draw those funds after 2 p.m. ET on Friday, November 9th.

IRS DRT SYSTEM OUTAGE – November 11-12, 2018

The IRS DRT will be unavailable on Sunday, November 11, 2018 and Monday, November 12, 2018 from 8 a.m. to 6 p.m. ET each day as the IRS completes critical system upgrades. During these outage periods, actions can be completed on fafsa.gov, using the myStudentAid mobile app, and on StudentLoans.gov. However, if an action requires entry of federal tax information, the tax information will need to be provided manually. Applicants may wish to complete the application after the outage is over.

In the event the IRS is unable to complete its upgrades during the outage periods described above, an additional outage will be scheduled for the weekend of November 17-18, 2018. Monitor the Information for Financial Aid Professionals (IFAP) website for an Electronic Announcement that will provide details about this additional IRS DRT outage, if needed.

EZ-AUDIT INSTRUCTIONS FOR INSTITUTIONS SUBJECT TO ASU 2016-14

In August 2016, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU) 2016-14, Presentation of Financial Statements of Not-for-Profit Entities. ASU 2016-14 reduced the number of classes of net assets from three to two; Net Assets Without Donor Restrictions, and Net Assets with Donor Restrictions. ASU 2016-14 also requires the presentation of expenses in both natural and functional classifications.
ASU 2016-14 is effective for fiscal years beginning after December 15, 2017, with early adoption permitted. The Department’s eZ-Audit system has not been updated to reflect these changes yet. Recently Federal Student Aid offered interim guidance for early implementers to ensure data is properly loaded into the financial statement templates.

FUNDAMENTALS OF FEDERAL STUDENT AID ADMINISTRATION WORKSHOPS

Federal Student Aid just announced the Fundamentals of Federal Student Aid Administration training workshops schedule for November 2018 through September 2019. These four and a half day, in-person workshops are conducted at ten different locations around the country throughout the year at one of the Department of Education’s regional training facilities.

If a school undergoes a change in ownership or control, or if your school is applying for Title IV participation for the first time, the school’s chief financial aid administrator and its chief administrator (typically school President, CEO or another high-level school official designated by the President or CEO) must attend training. For new schools, attendance at this workshop is required to complete your institution’s certification and is one of the prerequisites for coming off “provisional status”, which usually occurs 12-24 months after your school is initially approved for Title IV funding. When your school applies for recertification, the Department will check to make sure that both required people have attended the workshop, and for the appropriate number of days. The Department may also request that you send a copy of the certificate that you received, to prove your attendance. If your school is undergoing a Change of Ownership, you must also attend this workshop within 12 months.

Anyone who plans to attend must also complete online prerequisite courses for FSA Coach Fundamentals which is approximately 20-30 hours to complete. After passing the course, participants will be sent a link to register for the in-person session.

Participants who wish to register for and attend a Fundamentals of Federal Student Aid Administration workshop must first successfully complete an online, prerequisite course titled FSA Coach Fundamentals (formerly known as Introduction to Federal Student Aid). The online course may take 20 to 30 hours to complete, so please plan accordingly. Together, these two courses comprise the Fundamentals Training Series.

FSA is offering two workshops that are exclusively for schools with clock-hour programs. These clock-hour-only workshops are scheduled for May 6-10, 2019 in Dallas, Texas and May 13-17, 2019 in Washington, DC. Only schools with clock-hour programs will be allowed to attend these workshops. Clock-hour schools may, however, enroll in any workshop that is listed in this announcement and are not limited to the two listed above. All workshops cover material applicable to clock-hour schools.

For more information including the 2018-2019 schedule of trainings, a brief Q&A, and information about registering check out this electronic announcement from FSA.

SAVE SYSTEM GLITCHES ON THIRD STEP VERIFICATION

After some new SAVE system users began receiving “No Records Found” messages when submitting Third Step Verification Requests through the recently launched DHS System, FSA is asking schools that are receiving this message to temporarily stop processing third-step cases and stop sending DHS numbers to application processing to generate new DHS verification numbers. According to FSA, the Department of Homeland Security which runs the SAVE site has identified the problem and is working on implementing a solution. The fix is expected to be rolled out by the middle of July.

In the meantime, schools should follow the steps contained in this electronic announcement to receive an updated ISIR from CPS. These procedures are like those provided during the transition to the DHS SAVE system.

DELAY OF STATE AUTHORIZATION RULES FOR DISTANCE EDUCATION PROVIDERS

State Authorization Reciprocity Agreement

The Department of Education announced it will delay the effective dates of the controversial state authorization rules that were passed at the end of the Obama administration and set to go into effect on July 1, 2018. The rules, initially introduced in 2010, have been postponed before, and this time the Department expects to delay the effective date until July 1, 2020. The delay will allow the Department to take up the issue in another round of negotiated rulemaking sessions and rewrite the rules.

The regulations mainly delineate State authorization requirements for postsecondary distance education that must be met for participation in the Title IV aid programs. Under the state authorization regulations, online programs were required to obtain approval in each state where they enrolled students. As a result, colleges and universities were left with few options; forced to either seek approval from each state individually unless they were lucky enough to be based in a state with a “State Authorization Reciprocity Agreement” in place, or forgo enrolling students living in states where they weren’t approved. Public comments on the delay are open until June 11, 2018.

OVERTIME WAGE CHANGES

Higher Ed Executives Consulting Firm

The Department of Labor is undertaking rulemaking to revise regulations which govern the exemption of executive, administrative, and professional employees from the FLSA’s minimum wage and overtime pay requirements after Obama era regulations were struck down by a federal district court in 2016. Before the court blocked the rule, Institutions of Higher Education were poised to begin expanding overtime to their employees and despite being blocked, there were lots of lingering questions about which employees were eligible for overtime pay and which weren’t.

Under the Fair Labor Standards Act (FLSA) Higher Education employees such as faculty, administrators and other “white-collar” employees must meet unique requirements to be classified as exempt from federal overtime pay rules.

The FLSA requires that a non-exempt employee receive minimum wages for his or her work, as well as overtime wages whenever he or she works more than 40 hours in a workweek. Section 13(a)(1) of the FLSA, however, exempts certain employees who perform bona fide executive, administrative, professional, and outside sales duties from minimum wage and overtime requirements. These exemptions are often called the “white collar” exemptions.

To qualify for a white-collar exemption, an employee must generally satisfy three tests:

  1. The employee must be paid on a salary basis that is not subject to reduction based on the quality or quantity of work (the “salary basis test”), rather than, for example, on an hourly basis;
  2. The employee must receive a salary at a rate not less than $455* per week (the “salary level test”); and
  3. The employee’s primary duty must involve the kind of work associated with the exempt status sought, such as executive, administrative, or professional work (the “duties test”).

If you’re thinking this list is awfully broad, you’re not alone. It’s reasonable to assume based on this that these rules could apply to everyone from teachers and coaches to financial aid and admissions personnel. And let’s not forget student employees like graduate teaching assistants, research assistants, and student residential assistants, they’re covered here too.

Recently the U.S. Department of Labor Wage and Hour Division released Fact Sheet #17S: Higher Education Institutions and Overtime Pay Under the Fair Labor Standard Act. This fact sheet breaks it all down for you so that you can see which jobs are exempt and there are a few changes to note:

Exemptions for Common Higher Education Jobs

  • Teachers and Faculty including those who teach online or remotely
  • Coaches (excluding recruiters)
  • Professional Employees (Teachers and Learned Professionals)
  • Administrative Employees (Financial Aid, Admissions, Registrar etc.)
  • Executive Employees

Student Employees (Graduate Teaching Assistants, Research Assistants, Student Residential Assistants)

UPDATED SINGLE AUDIT SUBMISSION REQUIREMENTS FOR 2018

If your school has been a Single Audit filer, ED recently provided an update to the submission requirements for 2018 that you’ll want to pay attention to. Last year, the Department required Single Audit filers to submit an audit annually and, in the event that the Student Financial Assistance Cluster, which includes the Title IV programs, was not audited as a major program because it was identified as a low-risk program, filers were instructed to contact their School Participation Division to report the low-risk determination.

Updated Audit Requirements for 2018

Public and non-profit entities with institutions participating in the Title IV programs that submit a Single Audit that does not include the Student Financial Assistance Cluster as a major program will no longer be required to notify their respective School Participation Division of the low-risk assessments.

According to 2 C.F.R. § 200.518(a), under a Single Audit, an auditor must use a risk-based approach to determine which Federal programs are major programs. Part of the major program determination requirements at 2 C.F.R. § 200.518 require an auditor to identify larger Federal programs (Type A programs) which are low-risk. If a Type A program is identified as low-risk, it is not required to be audited as a major program, unless necessary to comply with the percentage of coverage rule. For a Type A program to be considered low-risk, it must, among other requirements, have been audited as a major program in at least one of the two most recent audit periods.

Institutions must still submit (via the Department’s eZ-Audit system) their complete Single Audit each year by the due date regardless of whether the Student Financial Assistance Cluster was audited as a major program.

The impact on year three testing requirements (after two years of low risk assessments) for fiscal year 2019 audits and beyond is still under review.

You can read the full electronic announcement from Federal Student Aid here.