Click for next page ( 226


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 225
APPENDIX F Alternative Approaches to Audit and Program Review for Student Financial Aid Programs Urton Anderson C. Aubrey Smith Center for Auditing Education and Research The University of Texas at Austin The Department of Education has used two types of "audit" to control student financial aid programs at participating educational institutions: pro- gram review and independent audit.) With the 1992 reauthorization of the Higher Education Act (P.L. 102-325), a third type, the state postsecondary review, has been added. Because there is yet considerable uncertainty about how this third "audit" mechanism will be implemented, it is discussed here only in terms of the 1992 amendments' intent and how such a mechanism might affect program review and, particularly, independent audit. After a brief treatment of program reviews, the remainder of the paper focuses on the independent audit. PROGRAM REVIEWS Program reviews are conducted by Department of Education personnel with the objectives of determining compliance with program regulations, evaluating financial and administrative capabilities, and providing technical assistance. The limited resources the department has for these reviews are allocated using a risk model consisting of seven components. The risk components given the greatest weight (20 percent each) are absence of a ~--r ~ =~ __ ~ ~ The department also has responsibility for controlling student loan programs at some 12,000 participating lenders and 47 guaranty agencies. Control of the student financial aid programs at these types of institutions also involves audits, but such audits are beyond the scope of this paper. 225

OCR for page 225
226 QUALITY IN STUDENT FINANCIAL AID PROGRAMS program review in the past four years, default rates (two prior years) greater than 30 percent, and the number of overdue audit reports. The other four components of the model (given a weight of approximately 10 percent each) are significant increases in the number of guaranteed student loans (GSLs) or Pell grants over the prior three years, change of institution ownership in the prior three years, whether the institution is being monitored for financial capability, and a subjective assessment based on impressions from student complaints or other negative publicity regarding the institution. The department, until recently, conducted approximately 1,000 program reviews each year out of a potential 8,500 institutions, an average annual coverage of about 12 percent of the universe of postsecondary institutions. Current plans call for 600 to 700 reviews per year. The risk model appears to be appropriately targeting program review resources. Even using a con- servative measure of review benefit, average liabilities assessed per review appear to more than cover their cost. Further, the reviews seem to be increasingly effective; average liabilities assessed per review have increased from $37,000 in fiscal year 1989, to $86,000 in fiscal 1990, to an estimated $150,000 for fiscal 1991. INDEPENDENT AUDITS In addition to being subject to program review, the Higher Education Act of 1965, as amended by P.L. 99-498, required educational institutions participating in student financial aid programs to have an independent audit at least every two years.2 The purpose of the independent audits is to help program managers in the Department of Education meet their stewardship responsibilities. In particular, the audits are designed to help departmental managers determine whether institutions participating in the programs provide reliable financial data, have an adequate system of internal control for the institution's fi- nancial aid operations, and comply with program regulations. The audits are performed, under contract to the institution, by state and local governmental auditors and by independent certified public accountants (CPAs). The cost of the audits may be recovered by the participating insti- tution as either a direct or indirect administrative expense. However, no special appropriations are made for audit costs. The cost must be built into the institution's specific grant document or overhead proposal. To the ex- 2 The 1992 bill reauthorizing and amending the Higher Education Act of 1965 requires that independent audits be conducted annually (Section 487(c)(1)(A)(i) of the act, as amended).

OCR for page 225
APPENDIX F 227 tent that administrative costs exceed the program maximum, additional costs for the audit are not recoverable. Independent audits may be conducted in one of three ways. The par- ticular approach taken depends on the type of institution (public, private nonprofit, for-profit).3 Public and private nonprofit institutions have some degree of latitude in selecting an approach; for-profit institutions are limited to one approach. Each of the approaches addresses the three audit objec- tives listed above, but the audit resources required varies considerably across the approaches. Approach One Audit Guide Under this approach (also called a "program audit"), the auditor follows the Audit Guide: Audits of Student Financial Assistance Programs, issued by the U.S. Department of Education (1990~. The guide allows two alterna- tive methods of conducting the audit. Using the first method the auditor integrates the auditing procedures with the audit of the financial statement of the institution and provides an opinion on the financial statements and a report on supplemental data (i.e., the schedule of expenditures for each student financial aid program). Using the second method the auditor ren- ders an opinion only on the Modified Statement of Cash Receipts and Dis- bursements for student financial aid programs. The approach taken to as- sessing the adequacy of internal controls and compliance is the same under either method. Reporting on compliance requires identification of all mate- rial instances of noncompliance discovered during the audit. The "audit guide" approach can be selected by public and private non- profit institutions.4 It appears to be required of for-profit institutions. Dur- ing the 12 months ending March 31, 1992, the Department of Education processed 3,040 independent audits that used this approach (51 percent of the audits processed during the period).S Approach TwoA-128 Public institutions of state and local governmental entities may satisfy the independent audit requirement through audits conducted in accordance 3 The type of audit does not depend upon the auditor. State and local governmental auditors as well as independent auditors (CPAs) can perform any of the three types of audit. 4 There appears to be some restrictions on adoption of the "audit guide" approach for some private nonprofit institutions. According to Statement No. 6, Question 5, of the President's Council on Integrity and Efficiency (1992), nonprofit institutions with total awards of $100,000 and more than one student aid program must use the A-133 approach (discussed below). 5 This information is from the Department of Education's semiannual reports to the Presi- dent's Commission on Integrity and Efficiency concerning the quality of non-federal audits. At the time of this writing, I had not been able to determine how many of the audits were of student financial aid programs versus other Department of Education programs.

OCR for page 225
228 QUALITY IN STUDENT FINANCIAL AID PROGRAMS with Circular A-128 of the Office of Management and Budget (1985~.6 Single audits are required of state and local governments receiving more than $100,000 per year in federal assistance. However, a state or local government can elect to exclude institutions of higher education from its A- 128 audits. If the college or university is excluded, it would be subject to the audit requirements of A-133 (see below). With few exceptions the audits are required annually.7 The objectives of the single audit are the same as those set out in the Higher Education Act for independent audits of student financial aid pro- grams. However, in the single audit the objectives apply to a much larger entity, namely, the complete governmental unit. The extent to which stu- dent financial aid programs are covered by the single audit depends on whether the program is characterized as major or nonmajor. For govern- mental units receiving between $100,000 and $100 million in federal assis- tance per year, a "major" program is any program receiving the larger of $300,000 or 3 percent of total federal assistance to the unit.8 It appears that determination is made on the basis of each type of student financial aid program. If a student financial aid program has been determined to be a major program, audit procedures would be similar to those under a "guide" audit. Although the Audit Guide is recommended for use in determining compli- ance when major student financial aid programs are involved in an A-128 audit, the guide is used primarily to identify specific compliance require- ments to be tested. The minimum sample size requirements and mandatory audit areas in the guide need not be Allowed. However, selection and testing must include a sufficient number of transactions from each major program to support the audit opinion on each program. If the student financial aid program is determined to be a "nonmajor" federal program, limited testing of the internal control structure and compli- ance is required. For nonmajor programs it is required only that the auditor obtain an understanding of the internal control structure's policies and pro- cedures that are relevant to preventing or detecting material noncompliance. Testing of specific federal compliance requirements is performed only if a nonmajor program transaction occurs in some other audit test. 6 The Office of Management and Budget (OMB) issued Circular A-128 in conjunction with the Single Audit Act of 1984. Circular A-128 provided more specifics as to how the Single Audit Act was to be implemented. 7 The 1992 reauthorization of the Higher Education Act requires annual audits of all student financial aid programs. 8 Units receiving more than $100 million in assistance apply a schedule going from $100 million to greater than $7 billion. For example, a "major" program would be one with federal expenditures greater than $3 million for a unit with federal assistance of between $100 million and $1 billion. The criterion is $20 million for units with assistance of over $7 billion.

OCR for page 225
APPENDIX F 229 Unlike reporting on compliance ir1 the "audit guide" approach (in which only material instances of noncompliance must be reported), under the Single Audit Act the auditor is required to report any noncompliance event found during testing, regardless of its materiality. In the 12-month period ending March 31, 1992, the Department of Education processed 2,576 independent audits conducted under the A-128 approach (43 percent of the audits processed during the period). Quality control for A-128 audits is divided among various federal agencies. The Department of Education was the cognizant agency (i.e., had responsibility for overseeing the implementation and the quality control of the audit) for 91 of the A-128 audits. The department also had general oversight respon- sibility for 1,758 of the A-128 audits.9 Other federal agencies had cogni- zance or general oversight responsibility for 727 of the audits.l To illustrate the variation in coverage of student financial aid programs in A-128 audits, coverage of public institutions in the A-128 audit of the state of Texas is presented in a subsequent section of this report. Approach Three A-133 In 1990 the Office of Management and Budget issued Circular A-133 to implement the single audit concept for nonprofit organizations, particularly institutions of higher education (Office of Management and Budget, 1990a). This approach applies to nonprofit institutions receiving $100,000 or more a year in federal awards, unless the institution receives all the award in a single program.ll When the federal award is only in one program, the institution has the option of using the A-133 approach or the "audit guide" approach. Under A-133, the individual student financial aid programs are com- bined and treated as a single program in determining whether the A-133 approach is required and also in determining whether the combined program is a major program. A program is considered to be a major program under A-133 if the total across all student aid programs is greater than $100,000 or 3 percent of total federal funds received (whichever is greater). Thus, 9 General oversight involves less responsibility. Usually it consists of working through direct recipients to ensure that subrecipients meet their audit requirements and providing tech- nical assistance when requested. 10 This information is from the Department of Education's semiannual reports to the Presi- dent's Commission on Integrity and Efficiency concerning the quality of non-federal audits. At the time of this writing, I had not been able to determine how many of the audits were of student financial aid programs versus other Department of Education programs. 11 State and local governmental institutions of higher education excluded from the govern- mental unit's A-128 audit can elect to be audited under the A-133 or the "audit guide" ap- proach.

OCR for page 225
230 QUALITY IN STUDENT FINANCIAL AID PROGRAMS under most applications of A-133 to educational institutions, student aid programs will receive greater audit coverage than under the A-128 approach because each program will be reviewed for the adequacy of the institution's internal controls and tested for compliance. The A-133 audit of student financial aid programs differs from the "audit guide" and A-128 approaches in that it takes an integrative approach to the institution's administration of the individual aid programs. Guidance for audit procedures under this approach is provided in the Compliance Supplement for Single Audits of Educational Institutions and Other Non- profit Organizations (Office of Management and Budget, 19911. Proce- dures for determining whether the institution meets the objectives of reli- able financial information and adequacy of internal controls are similar to those in the "audit guide" and A-128 approaches because integrative ap- proaches are most likely taken for these parts of the audit under those approaches.l2 The greatest difference is in the compliance portion of the audit, where compliance is considered across individual programs with re- spect to (1) types of services allowed or not allowed, (2) eligibility, (3) matching, level of effort, and/or earmarking, (4) special reporting require- ments, and (5) special tests. In addition, for A-133 audits the specific testing procedures and sample sizes in the Audit Guide do not have to be followed. Nor are any individual programs in which the institution partici- pates excluded from compliance testing because they are nonmajor pro- grams. Reporting requirements for A-133 audits are similar to those for A-128 audits. However, unlike A-128, in the A-133 approach the auditor is not required to report instances of immaterial noncompliance found during test- ing. Instances of immaterial noncompliance are required to be reported in a separate written report to the institution. The institution is then required to submit this list to the appropriate federal agencies, which for instances found in student aid programs would be the Department of Education. During the 12 months ending March 31, 1992, the Department of Edu- cation processed 371 A-133 audits (6 percent of the independent audits processed by the department).l3 12 The possible exception might be in the audit of the financial information. Sampling of transactions for testing under A-133 would define the population as all student aid transac- tions; whereas under A-128 audits, transactions for individual programs determined to be nonmajor would be excluded from the population, and under the "audit guide," transactions might be excluded because the individual program is considered immaterial. However, even under A-133 it may be more efficient to stratify the population by individual program. 13 This information is from the Department of Education's semiannual reports to the Presi- dent's Commission on Integrity and Efficiency concerning the quality of non-federal audits. At the time of: this writing, I had not been able to determine how many of the audits were of student financial aid programs versus other Department of Education programs.

OCR for page 225
APPENDIX F 231 ATTESTATION VERSUS COMPLIANCE OBJECTIVES The model underlying the approach taken in the independent audit re- quirements for student financial aid programs is that of the attestation audit. The attestation model developed from the need for users of organizations' financial statements to have assurance about the reliability of the informa- tion in the statements. In this model the management of the organization makes assertions about the financial condition and activity of the organiza- tion (i.e., prepares the financial statements for the period). An auditor independent of the organization then collects evidence regarding those as- sertions. The evidence collection must be sufficient for the auditor to come to an opinion regarding the appropriateness of the accounting methods used in constructing the statements and the presence or absence of significant error in recording and compiling the period's financial transactions and in applying these accounting methods. Over the years this basic attestation model has been extended to go beyond the financial statement assertions to other areas, such as software, student enrollments, market shares of radio and television audiences, and rates of return of investments. The basic attestation model is an output-based quality control mecha- nism. That is, the model views the financial statement assertions as the outputs of a process (i.e., the accounting system) that produces a product (i.e., the financial statements), the components of which (the individual assertions) are then tested after completion (i.e., when the financial state- ments have been prepared by the organization). Because of the cost of taking this approach with large and complex organizations, the approach has been gradually modified to allow consideration of quality control mechanisms in the production process (i.e., internal controls). However, the emphasis of the model remains on output. Only in the past few years, with the issuance of Statement on Auditing Standards No. 55 (American Institute of Certified Public Accountants, 1988), have the standards for financial attestation au- dits required the auditor to give explicit consideration to internal controls. A risk-based framework (Statement on Auditing Standards No. 47) for allocating audit resources within the financial attestation audit has also evolved (American Institute of Certified Public Accountants, 1983~. In this frame- work, audit risk is defined as the risk that the financial statement will contain a material misstatement after the completion of the audit. This risk is set to be relatively low (5 percent or less). Three component risks are considered to determine audit risk: inherent risk, control risk, and detection risk. Inherent risk is the likelihood that the financial statement innately will contain a material error, assuming there are no related internal control struc- ture policies or procedures. Control risk is the likelihood that the internal control structure policies and procedures would not prevent or detect a material error. Detection risk is the likelihood that the auditor's procedures would not find a material error present in the financial statements. In using

OCR for page 225
232 QUALITY IN STUDENT FINANCIAL AID PROGRAMS this risk framework to allocate audit resources, the framework is applied at the individual assertion level as well. Resources are allocated over asser- tions such that overall audit risk is equal to, or less than, the acceptable (set) level. Inherent risk and control risk are assessments made by the auditor rather than a decision variable. However, since assessment of con- trol risk at less than 100 percent requires testing of control procedures, the decision whether to consider controls for a specific assertion influences the resource allocation. Detection risk is a function of the auditing procedures (i.e., the effectiveness of the test, the sample size, and so on). The attestation model appears to work well in determining whether the institution has met the objective of reliable financial information, but it is not clear whether it is an appropriate model for testing the achievement of the compliance objective. Unlike reliability of financial information, the ultimate goal of the compliance portion of the independent audit is not the verification of the implied assertion that the student financial aid program is in compliance or that the noncompliance rate is less than "x" percent, but actual minimizing of noncompliance. Certainly an annual, or biannual, audit can influence the extent of compliance through the effect the expecta- tion of an audit has on auditees. However, random audit, or risk-based audits with a random component, can accomplish the same objectives with significantly fewer resources.~4 Even keeping within the current attestation framework, a risk-based approach to the compliance objective could improve the efficient and effec- tive use of audit resources. Currently, under all three approaches to inde- pendent audit of institutional compliance, effort is allocated on the basis of dollar coverage rather than risk of noncompliance. In the "audit guide" approach, resource allocations for auditing program compliance is deter- mined by mandatory procedures and minimum sample sizes. Under A-128 and A-133 audits, various coverage rules apply to testing of institutional controls and compliance. Some indication that the independent audits ex- pend audit resources with less efficiency and effectiveness than possible is found in a comparison of average liabilities assessed per audit and average liabilities assessed per program review (which takes a risk-based approach). For fiscal year 1989, average assessments per audit were $10,300 compared with average assessments per review of $36,675. For fiscal 1990, average assessments per audit were $23,827 compared with $86,243 per program review. Movement toward a risk-based approach for A-128 audits is being ad- vocated by the National State Auditors Association (1992~. The American Institute of Certified Public Accountants (1992c? has also adopted a risk- i4 See Baron and Besanko (1984) and Anderson and Young (1988a,b) for demonstrations of the optimality of randomized strategies.

OCR for page 225
APPENDIX F 233 based approach to compliance auditing in SAS 68, Compliance Auditing Applicable to Governmental Entities and Other Recipients of Governmental Financial Assistance. This standard was issued in April 1992 and is effec- tive for audits of fiscal periods ending after June 15, 1992; hence, details of its implementation were not complete at this writing. However, the risk approach is analogous to that in SAS 47 for financial attestation audits (discussed above); it focuses allocation of resources on attestation of com- pliance rather than achieving compliance. ILLUSTRATION OF A RISK-BASED APPROACH To illustrate the coverage of a risked-based audit approach and to pro- vide an indication of the variability that exists in the coverage of student financial aid programs across the three audit types, a description of the audit plan for the 1992 audit of financial aid programs in Texas public higher educational institutions is presented. The audit of student financial aid programs in public colleges and uni- versities in Texas is conducted by the Office of the State Auditor under a single audit conducted on a statewide basis (i.e., the A-128 approach). This audit covers not only the state-supported colleges and universities, but all state agencies. The objectives of the audit are an opinion on the statewide financial statements and statewide schedule of federal financial assistance, a report on internal controls, and an opinion on compliance with specific requirements applicable to each major federal financial assistance program. In terms of the compliance objectives, 43 major federal programs must be audited; 2 student financial aid programs (Guaranteed Student Loans and Pell Grant programs) are designated as "major" programs.~5 A top-down approach is used to plan the auditing on all major programs. Under this approach, audited prior-year federal expenditures are analyzed. Then, audit work is scheduled at state entities where at least 85 percent of the respec- tive major program expenditures occurred. However, because of the highly decentralized nature of the student financial aid programs (44 locations administer these programs), the 2 major student aid programs are audited on a three-year cycle. In each year of the cycle, an analysis of prior-year expenditures is made in order to schedule an audit for at least half of related expenditures. Thus, in any given year of the cycle, approximately 43 i5 "Major" programs are determined according to size criteria in OMB Circular A-128. In the state of Texas application of the criteria, any program with federal expenditures of $20 . . . . million or greater Is a mayor program. 16 The "related expenditures" are the 85 percent of the total for each program. Note that for the GSL program this does not include expenditures for the Texas GSL Corporation of the State Higher Education Coordinating Board, which are audited every year because of different compliance requirements.

OCR for page 225
234 QUALITY IN STUDENT FINANCIAL AID PROGRAMS percent of the expenditures in the GSL and Pell Grant programs are audited. Applying these procedures for the GSL program, 23 of the 44 administra- tive locations are audited over the three years of the cycle, and 9 to 12 locations are audited in any given year. For the Pell Grant Programs, 20 of the 44 locations are covered over the cycle, and 9 are covered in any given year (Office of the State Auditor, 1992b). Within each location selected, a risk-based approach is used to deter- mine the amount of audit work to be done on each compliance requirement for major programs. This represents a departure from the "safe harbor" approach suggested by Compliance Supplement for Single Audits of State and Local Governments (Office of Management and Budget, 1990b); it follows instead the risk approach suggested in SAS 68 (paragraphs 63- 73~.~7 The model used to make this determination consists of two main components: (1) impact and (2) risk analysis of federal compliance require- ments.~8 The procedures for implementing the model are as follows: 1. Determine compliance requirements. 2. Determine impact of requirements. 3. Assess inherent risk. 4. Gain an understanding of the policies and procedures of the control structure that are relevant to preventing or detecting material non- compliance. 5. Assess control risk based on preliminary understanding. 6. Determine level of compliance testing based on impact and risk (both inherent and control risk). 7. Test control structures and perform compliance testing of individual transactions. 8. Reassess level of compliance testing (i.e., determine whether an ad- equate level of audit evidence is obtained) and expand testing, if necessary. In this model the auditor makes an assessment of impact (materiality) for each general and specific compliance requirement by considering (1) rela- tive effect of the individual requirement on total program expenditures at the location, (2) significance of the individual requirement to the program's meeting its primary objective, and (3) the size of the program in absolute dollars. The three factors are scored on a nine-point scale, the scores are )7 "Safe harbor" refers to the practice of following all requirements and procedures recom- mended in the OMB's compliance supplements. If all recommendations are followed, the federal agencies agree not to question the procedural aspects of the audit. |8 The impact component is analogous to the notion of materiality in the audit of financial statements.

OCR for page 225
APPENDIX F 235 combined, and the aggregate score is mapped to a category of low, medium, or high impact. Assessment of risk involves assessment of two basic components, con- trol risk and inherent risk. Control risk is assessed based on the auditor's knowledge of the various control structures affecting each compliance re- quirement. Assessment of inherent risk consists of an evaluation of the individual compliance requirement on six factors: 1. Structure of transactions number, size, and complexity of the trans- actions for which the compliance requirement applies. 2. Newness of the program for example, a program that has been op- erating three years or longer without significant change is considered a low risk with respect to this factor. 3. Program carried out through subrecipients the greater the percent- age of expenditures carried out through subrecipients the greater the risk. 4. Program contracts for goods and services the greater the percent- age of expenditures carried out through contractors the greater the risk. 5. Program subject to federal program review for programs that re- ceive routine program reviews by a federal agency, the risk is low; if the program review occurs every two to three years, the risk is moderate; and the risk is high if the program has never received a program review. 6. Expectation of noncompliance if the program has not been cited for an instance of noncompliance in previous audits, the risk is low; if material noncompliance was found in audits in the past three years, the risk is high. The risk evaluation score on each of the six factors is combined to obtain an overall inherent-risk score. The inherent-risk score and the control-risk score are then averaged to obtain an overall risk score, which is then mapped to a category of low, moderate, and high risk. A table is then used to map the nine possible impact/risk combinations to a level of test work for nontransaction-based requirement and sample sizes for transaction-based requirements. For example, a requirement as- sessed as low impact and low risk is tested with a sample size of 5 transac- tions; a requirement assessed as high impact and high risk is tested with a sample of 75 transactions (Office of the State Auditor, 1992a). Further, when major programs are tested at more than one location, auditors at each location make the risk assessments. They then modify the recommended sample size given by the model for the respective locations by the location's proportional share of total program expenditures. Other Title IV programs, such as the Perkins loan and Supplemental Educational Opportunity Grants programs, are treated in the Texas single audit as nonmajor programs. For these programs the A-128 audit requires

OCR for page 225
236 QUALITY IN STUDENT FINANCIAL AID PROGRAMS that the auditor obtain an understanding of the policies and procedures of the internal control structure that are relevant to preventing or detecting noncompliance. Specific federal compliance requirements are also tested when transactions involving these programs are selected as part of some other audit test.~9 Because of the diverse internal control structures and the large number of nonmajor federal programs in the Texas statewide audit (183 program locations), a three-year cycle is used to meet the requirements of obtaining an understanding of the internal control structure. One team of auditors is assigned to audit the nonmajor programs across all locations. This team gains an understanding of internal control structures by review- ing federal "control" questionnaires completed by selected agencies and higher educational institutions. The nonmajor audit team reviews the ques- tionnaires for adequacy, determines if follow-up is required, and performs any additional work. As this description of the Texas A-128 audit plan illustrates, the extent of audit coverage any location with a student financial aid program would receive varies greatly depending on the type of audit approach taken and the way in which the audit unit is defined (e.g., the GSL program in all public universities within a state versus the GSL program at a particular institu- tion). If, for example, the state of Texas elected to exclude its institutions of higher education from the statewide audit and cover them under the A- 133 or audit-guide approach, significant additional audit resources would be required because of the change in what constitutes a major program and the loss of economies of scale in moving from verifying a single set of asser- tions about one large population to verifying multiple assertion sets.20 For example, under an A-133 audit, all student financial aid programs at each location would be covered, because under this approach the individual pro- grams are combined and covered as a whole. In the A-128 audit as imple- mented in the state of Texas, however, even those programs considered to be major do not receive coverage in approximately 50 percent of the loca- tions. Such differences in coverage matter only in terms of resource require- ments if one takes as the objective of the independent audit to attest to the institution's financial statement and compliance rates. However, if the ob- jective of the independent audit is to improve compliance rates, one might i9 These are generally only those compliance requirements related to allowability and eligi- bility. 20 The reason such large economies of scale are realized by moving to assertions about a larger population is the desire to keep constant audit quality, as defined by the precision of the assertion in terms of percentage of the assertion quantity and not absolute quantities. Thus, one wants the assertion to between +10 percent of the dollar value of the annual program expenditures rather than the assertion to be accurate with a range of +$20,000.

OCR for page 225
APPENDIX F 237 question whether the A-128 audit achieves this objective. Discussion with internal audit directors at several public universities in Texas (two at insti- tutions selected for coverage in the statewide audit plan and one at an institution that is not covered) revealed that they regard the student finan- cial aid programs as very high risk in their own audit plans and intend to devote considerable resources to auditing compliance despite the coverage in the statewide audit. Further, even though the Texas single audit incorpo- rated a risk-based approach, it did so only within location. As in all three approaches, the emphasis remains on dollar coverage rather than directing resources to those areas with the weakest compliance. ALTERNATIVES TO CURRENT APPROACHES TO AUDITING COMPLIANCE In this section three alternative approaches to the compliance audit requirement are briefly described and the advantages and disadvantages of each are discussed. The alternatives are (1) a risk-based approach to the audit-guide, A-128, and A-133 approaches, (2) a certification model, and (3) a centralized risk-based approach. A Risk-Based Approach to the Audit Guide, A-128, and A-133 Audits In this alternative the current approach of combining the audit of the financial statement with the compliance audit is continued. However, the extent of compliance testing that is done for a particular compliance re- quirement is determined using the compliance risk model presented in SAS 68 (paragraphs 63-73~. The approach used in the Texas audit plan described above is an example of this approach. Such an approach could be directly applied to the audit guide and A-133 approaches in cases in which student financial aid is considered a major program, but it does not solve the prob- lem of the A-128 audit in allocating resources across multiple locations. A risk-based approach can be taken even a step further, however, if one relaxes the current A-128 requirement that a "representative number" of transactions be selected from each major federal program for compliance testing. As a recent draft of a position paper by the National State Auditors Association (1992:12-13) points out: In complying with requirements of the Single Audit Act and Circular A- 128 we have learned that many of the same federal programs are audited as major programs in all states. In addition, certain specific programs meet the requirement for classification as major within particular states year after year. These programs have been thoroughly audited, and generally

OCR for page 225
238 QUALITY IN STUDENT FINANCIAL AID PROGRAMS state program staff have corrected the major problems from early audits. Thus, we are experiencing a decline in questioned or disallowed cost. The position paper goes on to note that while major programs are given thorough and consistent audit coverage, nonmajor programs are not. In fact, there is no assurance that they will be given any audit coverage. Yet, at the same time, the nonmajor programs constitute the vast majority of federal programs in each state. To correct this weakness, the position paper proposes a departure from the current notion of major and nonmajor federal programs. The auditor would test for material noncompliance in the full population of federal programs using a combination of stratified sampling and analytic proce- dures. A sample of transactions from all federal programs would be strati- fied so as to obtain a significant portion of the sample from the largest programs. A second group of transactions would be drawn from the smaller programs. And a third group of sample transactions would be selected from among those programs perceived by the auditor to have an unusually high risk of noncompliance. In addition, analytic procedures would be applied to the full population of federal assistance programs. These procedures might indicate areas or programs with increased or decreased levels of risk from those assumed during the planning phase of the audit. A Certification Model This alternative is based on the model for ensuring compliance in the European Economic Communities "Eco-audit" scheme and by internal audi- tors in organizations implementing total quality management programs. The approach consists of relying on those people actually involved in the pro- cess to take more responsibility for the quality assurance of the process. Critical points in the process are "audited" or certified by people who are independent of the process, but not necessarily independent of the organiza- tion. For example, in the "Eco-audit" scheme, management at each site participating in the scheme prepares an environmental statement that in- cludes a description of significant environmental issues, a summary of the figures on pollutant emissions and the like, a presentation of the organization's environmental policies and specific objectives for the particular site, and an evaluation of the environmental performance of the protection system implemented at the site. This statement is then verified by an accredited environmental auditor (i.e., one who meets specifically outlined standards of training). This auditor can be an employee of the organization (if the organization has set up an appropriate system to give independence from the activity audited, such as an internal audit function) or external auditor (Council of the European Communities, 19921. The important modification in this approach is that the emphasis on the

OCR for page 225
APPENDIX F 239 "auditor" is on being qualified to conduct the audit rather than organiza- tional independence. One of the problems frequently encountered with the independent audit of student financial aid programs is that the independent auditors do not understand the program compliance requirements or finan- cial aid operations. By requiring more specific accreditation of the auditor, the quality of the audit process is improved. Allowing the audit to be conducted by auditors who are direct employees of the organization, yet independent of the activity, can increase the quality of the audit because the auditor has knowledge of the institution and the industry. This type of approach is already in use at some institutions with student financial aid programs. Under the "sample certification" requirement in the Department of Education's Institutional Quality Control Pilot Project, a "third party," such as an institutional auditor external to the financial aid office, certifies that the sample has been drawn according to procedure (U.S. De- partment of Education, 1991:3-4 to 3-7~. Extensions of this technique to other compliance areas would seem productive. A Centralized Risk-Based Approach Consideration should also be given to centralizing the compliance audit activity either at the federal level (in the Department of Education) or at the state level (such as with a state postsecondary review entity, as Part H of the 1992 reauthorization of the Higher Education Act proposes).2i By central- izing the responsibility for the audit of compliance, audit resources could be targeted most effectively to those areas where audit would provide the most benefit in identifying compliance problems and proposing corrective action. Further, by including a random component in the selection of program loca- tions for audit,22 the benefit of increased compliance due to the anticipatory effects of audit can still be realized. During the 1980s, organizations began to develop risk models to im- prove the allocation of internal audit resources across the organization. The objectives of internal audits are considerably broader than those of the fi- nancial attestation audit (i.e., audits of financial statements). They include not only reliability of information, but also efficient use of resources, effec- tiveness in achieving goals and objectives, safeguarding of organizational assets, and compliance with regulations and procedures. Rather than defin- 21 The state postsecondary review as proposed in Part H of the 1992 reauthorization legisla- tion is not intended to centralize the performance of the audits of compliance requirements but to centralize eligibility review. 22 Here "location" means an audit unit, that is, a unit responsible for the administration of a program. There could be two or more geographical sites to a location, and there could be multiple locations at one geographical site.

OCR for page 225
240 QUALITY IN STUDENT FINANCIAL AID PROGRAMS ing risk in terms of the likelihood of material error in financial statements (as risk is defined in SAS 47) or of material noncompliance (as compliance risk is defined in SAS 68), risk is defined as the uncertainty or vulnerability that an event could adversely affect the organization (Institute of Internal Auditors, 19921. In terms of compliance, the goal is to identify areas of greatest exposure so that the risk of noncompliance can be minimized or managed. Thus, in the internal audit setting the focuses less on maximizing coverage than on targeting areas of greatest exposure so as to minimize risk. Such an approach is similar to that employed by the Department of Educa- . . ~ . . . . lion In a" .locatlng its program review resources. The goal of such risk models is to provide an assessment of the risk at each audit location (i.e., program administrative unity. For example, in applying this to student financial aid programs, the risk of noncompliance of each program at each administrative site would be assessed using a model such as the one developed for the Texas single audit.23 Audit resources are then assigned to locations with the highest risk. This procedure can also be modified to include a strategic component by stratifying the locations into risk classes. For the highest risk class, all locations are audited that year. In the next highest risk class, 60 percent are randomly selected for audit. The process continues with random selection of 15 percent in the next highest risk class and 5 percent of those in the lowest risk class.24 Thus, coverage of a particular location is always pos- sible, thereby providing the anticipatory effect on auditees' behavior (see Anderson and Young, 1 988a; Siers and Blyskal, 1987~. CONCLUSIONS AND RECOMMENDATIONS Study of the auditing literature, the guidance given for performing the compliance portion of the independent audit, and discussion with various individuals in the student financial aid and audit communities indicate that there is some question as to the consistency of audit coverage and the effectiveness of the compliance portion of the independent audit. Based on the foregoing analysis, several recommendations can be made for improving the effectiveness of audits for achieving compliance. 1. Implementation of a risk-based approach to individual compliance 23 Models with greater sophistication have been developed in industry, but that sophistica- tion comes in techniques used to identify the factors to be included in the model rather than the sophistication of the procedures used by the individual auditor for assessing each factor at a location. See Siers and Blyskal (1987) for the model used by E.I. Du Font. 24 Coverage over time is also assured because one of the factors in most risk models is the amount Q; time since the last audit. Thus, even those locations initially assessed as low risk will receive coverage as the time since their last audit increases.

OCR for page 225
APPENDIX F 241 requirements, such as suggested in SAS 68, would improve the effective- ness and efficiency of the compliance portion of the independent audit. 2. Extension of a risk-based approach across audit locations would fur- ther improve the use of audit resources in meeting the objectives of compli- ance audits. To maximize the benefits of this approach, consideration might be given to centralizing the compliance audit at the state or national level. 3. Increasing use of "certification" would reduce the need for third- party audits to meet compliance objectives. Such an approach places more responsibility for quality assurance on those actually involved in the pro- cess. Critical aspects of the quality assurance program can be "certified" by people independent of the student financial aid office but not necessarily from outside the institution. REFERENCES American Institute of Certified Public Accountants 983 988 Audit Risk and Materiality in Conducting an Audit. Statement on Auditing Stan- dards No. 47. New York: American Institute of Certified Public Accountants. Consideration of the Internal Control Structure in a Financial Statement Audit. Statement on Auditing Standards No. 55. New York: American Institute of Certified Public Accountants. 1992a Audits of State and Local Governmental Entities Receiving Federal Financial As- sistance. Statement of Position 92-7- Supplement of AICPA Audit and Account- ing Guide, Audits of State and Local Governmental Units. New York: American Institute of Certified Public Accountants. 1992b Compliance and Internal Control Reporting for Student Financial Assistance Pro- grams Using Service Organizations. Proposed Statement of Position Proposed Amendment to AICPA Audit and Accounting Guide, Audits of Colleges and Uni- versities. New York: American Institute of Certified Public Accountants. 1992c Compliance Auditing Applicable to Governmental Entities and Other Recipients of Governmental Financial Assistance. Statement on Auditing Standards No. 68. New York: American Institute of Certified Public Accountants. Anderson, U. and R. Young 1988a Internal audit planning in an interactive environment. Auditing: A Journal of Practice & Theory 8(Fall):23-42. 1988b Strategic auditing: A different game. Internal Auditing 4(Fall):14-24. Baron, D. and D. Besanko 1984 Regulation, Asymmetric Information, and Auditing. Rand Journal of Economics 15 (Winter) :447 -470. Council of the European Communities 1992 Eco-audit scheme. Proposal for Council Regulation (EEC). COM(91)459. Offi- cial Journal of the European Communities No. C 76:2-13. Institute of Internal Auditors 1992 Risk Assessment. Statement on Internal Auditing Standards No. 9. Altamonte Springs, F1.: Institute of Internal Auditors. National State Auditors Association 1992 Position Paper - Single Audit Act. Draft, March 1992, National State Auditors Association, Lexington, Ky.

OCR for page 225
242 QUALITY IN STUDENT FINANCIAL AID PROGRAMS Office of Management and Budget 1985 Circular A-128, Audits of State and Local Governments. Washington, D.C.: Of- fice of Management and Budget. 1990a Circular A-133, Audits of Institutions of Higher Education and Other Nonprofit Institutions. Washington, D.C.: Office of Management and Budget. 1990b Compliance Supplement for Single Audits of State and Local Governments. Wash- ington, D.C.: Office of Management and Budget. 1991 Compliance Supplement for Single Audits of Educational Institutions and Other Nonprofit Organizations. Washington, D.C.: Office of Management and Budget. Office of the State Auditor 1992a Impact and Risk Analysis of Federal Compliance Requirements. Austin, Tex.: Office of the State Auditor. 1 992b 1992 Statewide Audit Plan. Austin, Tex.: Of flee of the State Auditor. President's Council on Integrity and Efficiency 1992 Questions and Answers on OMB Circular A-133. Statement No. 6. Standards Subcommittee. Washington, D.C.: President's Council on Integrity and Efficiency. Siers, H. and J. Blyskal 1987 Risk management of the internal audit function. Management Accounting 68(Feb- ruary):29-35. U.S. Department of Education 1990 Audit Guide: Audits of Student Financial Assistance Programs. Office of Inspec- tor General, Office of Audit. Washington, D.C.: U.S. Department of Education. 1991 Institutional Quality Control Workbook. Division of Quality Assurance. Wash- ington, D.C.: U.S. Department of Education.