Common Findings During Title IV Audits
1. Is Your Transfer Student Monitoring Process Completed?
If a student received financial aid while previously attending another school, the school to which the student transferred is required to request a financial aid history prior to disbursing Title IV funds. In addition, an institution must request updated information through the National Student Loan Data System (NSLDS) Transfer Monitoring Process for students who transfer from another institution during the same award year.
Sometimes the little things get missed during the student enrollment process—this happens to be one that we see on a fairly consistent basis. This is not to say the regulation itself isn’t important, but more so that the process of adding a student to the Transfer Monitoring List is actually pretty painless and can be easily worked into your standard enrollment process.
It’s always good practice to run NSLDS loan and Pell grant histories as part of your financial aid packaging process. This is how you see what the students have borrowed and if there are any overlaps for the current award year from any prior institutions the students may have enrolled at. If you do identify an overlap in award year, you need to click the “Add Student to Monitoring List” button that is located in the middle of the first page. That is all you need to do! Once you add a student to the monitoring list, they will remain on that list for 90 days. If you are in the practice of storing your initial NSLDS history reviews in your student files, be sure to do so after you click this button, as it serves as proof you have added the student to the listing.
Many times we do find this is not the case, so how can we tell if a student was actually added to the list? As part of our standard checklist, we have you log into NSLDS and request the Transfer Monitoring Summary Report (SCH07B) for the audit period. This summary will show every student that was added to the list during the timeframe you request the report for. This allows us to find students we were unable to identify during the individual student file review. It’s not a good sign when we receive a blank listing; meaning the process was not followed.
We encourage all institutions to look into this process and implement it immediately. Unlike many things in the Title IV world, this is a pretty easy fix—so there is no time like the present!
2. Student Information Security
By now, everyone knows about protecting personally identifiable information (PII) and is aware of cybersecurity/major data breaches within financial institutions. However, did you know that the Federal Trade Commission (FTC) considers most schools that participate in the Department of Education’s student financial assistance programs as a “financial institution?” This all derives from the basis of the financial relationships most schools have with students, donors and others.
Under your school’s Program Participation Agreement (PPA), the Department of Education expects you to comply with FTC regulations for implementing the Gramm-Leach-Bliley Act, which requires financial institutions to explain their information sharing practices to their students and adopt safeguards for secured and sensitive data.
On October 30, 2019, the Office of Inspector General issued an amendment to the 2016 Audit Guide designed to include Student Information Security as part of the annual compliance audit process. Under the Gramm-Leach-Bliley Act, schools need to:
- Implement an information security program and have policies in place for handling financial data, such as student or parent annual income, as part of the support of the administration of your financial aid programs
- Designate an employee responsible for coordinating the information security program
- Identify and assess risks to customer information
- Design an information safeguards program
- Select service providers that can maintain the appropriate safeguards (this applies to your third-party servicers as well and needs to be covered in your contractual agreement!)
- Periodically evaluate and update your security program
For any compliance audits for fiscal years ending on or after December 31, 2019, your auditor is required to:
- Verify that the school has designated an individual to coordinate the information security program
- Verify that the school has performed a risk assessment that addresses:
- employee training and management
- Information systems, including network and software design, as well as information processing, storage, transmission and disposal
- Detecting, preventing and responding to attacks, intrusions or other systems failures
- Verify that the school has documented a safeguard for each risk identified in Step 2
Most schools already have safeguards in place in regard to data security. However, you must also make sure you are evaluating and documenting your current security policies against the requirements of the Gramm-Leach-Bliley Act and taking immediate action to remedy any identified deficiencies.
(2019, July 3). New OMB Policy Requires Title IV Privacy and Data Security Audit Checks. Retrieved from https://www.nacubo.org/News/2019/7/New-OMB-Policy-Requires-Title-IV-Privacy-and-Data-Security-Audit-Checks
16 CFR § 314.4 – Elements.. Retrieved from https://www.law.cornell.edu/cfr/text/16/314.4