Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 225
APPENDIX
F
Alternative Approaches to Audit
and Program Review for Student
Financial Aid Programs
Urton Anderson
C. Aubrey Smith Center for Auditing Education and Research
The University of Texas at Austin
The Department of Education has used two types of "audit" to control
student financial aid programs at participating educational institutions: pro-
gram review and independent audit.) With the 1992 reauthorization of the
Higher Education Act (P.L. 102-325), a third type, the state postsecondary
review, has been added. Because there is yet considerable uncertainty about
how this third "audit" mechanism will be implemented, it is discussed here
only in terms of the 1992 amendments' intent and how such a mechanism
might affect program review and, particularly, independent audit. After a
brief treatment of program reviews, the remainder of the paper focuses on
the independent audit.
PROGRAM REVIEWS
Program reviews are conducted by Department of Education personnel
with the objectives of determining compliance with program regulations,
evaluating financial and administrative capabilities, and providing technical
assistance. The limited resources the department has for these reviews are
allocated using a risk model consisting of seven components. The risk
components given the greatest weight (20 percent each) are absence of a
~--r ~ =~ __ ~
~ The department also has responsibility for controlling student loan programs at some
12,000 participating lenders and 47 guaranty agencies. Control of the student financial aid
programs at these types of institutions also involves audits, but such audits are beyond the
scope of this paper.
225
OCR for page 226
226
QUALITY IN STUDENT FINANCIAL AID PROGRAMS
program review in the past four years, default rates (two prior years) greater
than 30 percent, and the number of overdue audit reports. The other four
components of the model (given a weight of approximately 10 percent each)
are significant increases in the number of guaranteed student loans (GSLs)
or Pell grants over the prior three years, change of institution ownership in
the prior three years, whether the institution is being monitored for financial
capability, and a subjective assessment based on impressions from student
complaints or other negative publicity regarding the institution.
The department, until recently, conducted approximately 1,000 program
reviews each year out of a potential 8,500 institutions, an average annual
coverage of about 12 percent of the universe of postsecondary institutions.
Current plans call for 600 to 700 reviews per year. The risk model appears
to be appropriately targeting program review resources. Even using a con-
servative measure of review benefit, average liabilities assessed per review
appear to more than cover their cost. Further, the reviews seem to be
increasingly effective; average liabilities assessed per review have increased
from $37,000 in fiscal year 1989, to $86,000 in fiscal 1990, to an estimated
$150,000 for fiscal 1991.
INDEPENDENT AUDITS
In addition to being subject to program review, the Higher Education
Act of 1965, as amended by P.L. 99-498, required educational institutions
participating in student financial aid programs to have an independent audit
at least every two years.2 The purpose of the independent audits is to help
program managers in the Department of Education meet their stewardship
responsibilities. In particular, the audits are designed to help departmental
managers determine whether institutions participating in the programs
provide reliable financial data,
have an adequate system of internal control for the institution's fi-
nancial aid operations, and
· comply with program regulations.
The audits are performed, under contract to the institution, by state and
local governmental auditors and by independent certified public accountants
(CPAs). The cost of the audits may be recovered by the participating insti-
tution as either a direct or indirect administrative expense. However, no
special appropriations are made for audit costs. The cost must be built into
the institution's specific grant document or overhead proposal. To the ex-
2 The 1992 bill reauthorizing and amending the Higher Education Act of 1965 requires that
independent audits be conducted annually (Section 487(c)(1)(A)(i) of the act, as amended).
OCR for page 227
APPENDIX F
227
tent that administrative costs exceed the program maximum, additional costs
for the audit are not recoverable.
Independent audits may be conducted in one of three ways. The par-
ticular approach taken depends on the type of institution (public, private
nonprofit, for-profit).3 Public and private nonprofit institutions have some
degree of latitude in selecting an approach; for-profit institutions are limited
to one approach. Each of the approaches addresses the three audit objec-
tives listed above, but the audit resources required varies considerably across
the approaches.
Approach One Audit Guide
Under this approach (also called a "program audit"), the auditor follows
the Audit Guide: Audits of Student Financial Assistance Programs, issued
by the U.S. Department of Education (1990~. The guide allows two alterna-
tive methods of conducting the audit. Using the first method the auditor
integrates the auditing procedures with the audit of the financial statement
of the institution and provides an opinion on the financial statements and a
report on supplemental data (i.e., the schedule of expenditures for each
student financial aid program). Using the second method the auditor ren-
ders an opinion only on the Modified Statement of Cash Receipts and Dis-
bursements for student financial aid programs. The approach taken to as-
sessing the adequacy of internal controls and compliance is the same under
either method. Reporting on compliance requires identification of all mate-
rial instances of noncompliance discovered during the audit.
The "audit guide" approach can be selected by public and private non-
profit institutions.4 It appears to be required of for-profit institutions. Dur-
ing the 12 months ending March 31, 1992, the Department of Education
processed 3,040 independent audits that used this approach (51 percent of
the audits processed during the period).S
Approach Two—A-128
Public institutions of state and local governmental entities may satisfy
the independent audit requirement through audits conducted in accordance
3 The type of audit does not depend upon the auditor. State and local governmental auditors
as well as independent auditors (CPAs) can perform any of the three types of audit.
4 There appears to be some restrictions on adoption of the "audit guide" approach for some
private nonprofit institutions. According to Statement No. 6, Question 5, of the President's
Council on Integrity and Efficiency (1992), nonprofit institutions with total awards of $100,000
and more than one student aid program must use the A-133 approach (discussed below).
5 This information is from the Department of Education's semiannual reports to the Presi-
dent's Commission on Integrity and Efficiency concerning the quality of non-federal audits.
At the time of this writing, I had not been able to determine how many of the audits were of
student financial aid programs versus other Department of Education programs.
OCR for page 228
228
QUALITY IN STUDENT FINANCIAL AID PROGRAMS
with Circular A-128 of the Office of Management and Budget (1985~.6
Single audits are required of state and local governments receiving more
than $100,000 per year in federal assistance. However, a state or local
government can elect to exclude institutions of higher education from its A-
128 audits. If the college or university is excluded, it would be subject to
the audit requirements of A-133 (see below). With few exceptions the
audits are required annually.7
The objectives of the single audit are the same as those set out in the
Higher Education Act for independent audits of student financial aid pro-
grams. However, in the single audit the objectives apply to a much larger
entity, namely, the complete governmental unit. The extent to which stu-
dent financial aid programs are covered by the single audit depends on
whether the program is characterized as major or nonmajor. For govern-
mental units receiving between $100,000 and $100 million in federal assis-
tance per year, a "major" program is any program receiving the larger of
$300,000 or 3 percent of total federal assistance to the unit.8 It appears that
determination is made on the basis of each type of student financial aid
program.
If a student financial aid program has been determined to be a major
program, audit procedures would be similar to those under a "guide" audit.
Although the Audit Guide is recommended for use in determining compli-
ance when major student financial aid programs are involved in an A-128
audit, the guide is used primarily to identify specific compliance require-
ments to be tested. The minimum sample size requirements and mandatory
audit areas in the guide need not be Allowed. However, selection and
testing must include a sufficient number of transactions from each major
program to support the audit opinion on each program.
If the student financial aid program is determined to be a "nonmajor"
federal program, limited testing of the internal control structure and compli-
ance is required. For nonmajor programs it is required only that the auditor
obtain an understanding of the internal control structure's policies and pro-
cedures that are relevant to preventing or detecting material noncompliance.
Testing of specific federal compliance requirements is performed only if a
nonmajor program transaction occurs in some other audit test.
6 The Office of Management and Budget (OMB) issued Circular A-128 in conjunction with
the Single Audit Act of 1984. Circular A-128 provided more specifics as to how the Single
Audit Act was to be implemented.
7 The 1992 reauthorization of the Higher Education Act requires annual audits of all student
financial aid programs.
8 Units receiving more than $100 million in assistance apply a schedule going from $100
million to greater than $7 billion. For example, a "major" program would be one with federal
expenditures greater than $3 million for a unit with federal assistance of between $100 million
and $1 billion. The criterion is $20 million for units with assistance of over $7 billion.
OCR for page 229
APPENDIX F
229
Unlike reporting on compliance ir1 the "audit guide" approach (in which
only material instances of noncompliance must be reported), under the Single
Audit Act the auditor is required to report any noncompliance event found
during testing, regardless of its materiality.
In the 12-month period ending March 31, 1992, the Department of
Education processed 2,576 independent audits conducted under the A-128
approach (43 percent of the audits processed during the period). Quality
control for A-128 audits is divided among various federal agencies. The
Department of Education was the cognizant agency (i.e., had responsibility
for overseeing the implementation and the quality control of the audit) for
91 of the A-128 audits. The department also had general oversight respon-
sibility for 1,758 of the A-128 audits.9 Other federal agencies had cogni-
zance or general oversight responsibility for 727 of the audits.l°
To illustrate the variation in coverage of student financial aid programs
in A-128 audits, coverage of public institutions in the A-128 audit of the
state of Texas is presented in a subsequent section of this report.
Approach Three A-133
In 1990 the Office of Management and Budget issued Circular A-133 to
implement the single audit concept for nonprofit organizations, particularly
institutions of higher education (Office of Management and Budget, 1990a).
This approach applies to nonprofit institutions receiving $100,000 or more a
year in federal awards, unless the institution receives all the award in a
single program.ll When the federal award is only in one program, the
institution has the option of using the A-133 approach or the "audit guide"
approach.
Under A-133, the individual student financial aid programs are com-
bined and treated as a single program in determining whether the A-133
approach is required and also in determining whether the combined program
is a major program. A program is considered to be a major program under
A-133 if the total across all student aid programs is greater than $100,000
or 3 percent of total federal funds received (whichever is greater). Thus,
9 General oversight involves less responsibility. Usually it consists of working through
direct recipients to ensure that subrecipients meet their audit requirements and providing tech-
nical assistance when requested.
10 This information is from the Department of Education's semiannual reports to the Presi-
dent's Commission on Integrity and Efficiency concerning the quality of non-federal audits.
At the time of this writing, I had not been able to determine how many of the audits were of
student financial aid programs versus other Department of Education programs.
11 State and local governmental institutions of higher education excluded from the govern-
mental unit's A-128 audit can elect to be audited under the A-133 or the "audit guide" ap-
proach.
OCR for page 230
230
QUALITY IN STUDENT FINANCIAL AID PROGRAMS
under most applications of A-133 to educational institutions, student aid
programs will receive greater audit coverage than under the A-128 approach
because each program will be reviewed for the adequacy of the institution's
internal controls and tested for compliance.
The A-133 audit of student financial aid programs differs from the
"audit guide" and A-128 approaches in that it takes an integrative approach
to the institution's administration of the individual aid programs. Guidance
for audit procedures under this approach is provided in the Compliance
Supplement for Single Audits of Educational Institutions and Other Non-
profit Organizations (Office of Management and Budget, 19911. Proce-
dures for determining whether the institution meets the objectives of reli-
able financial information and adequacy of internal controls are similar to
those in the "audit guide" and A-128 approaches because integrative ap-
proaches are most likely taken for these parts of the audit under those
approaches.l2 The greatest difference is in the compliance portion of the
audit, where compliance is considered across individual programs with re-
spect to (1) types of services allowed or not allowed, (2) eligibility, (3)
matching, level of effort, and/or earmarking, (4) special reporting require-
ments, and (5) special tests. In addition, for A-133 audits the specific
testing procedures and sample sizes in the Audit Guide do not have to be
followed. Nor are any individual programs in which the institution partici-
pates excluded from compliance testing because they are nonmajor pro-
grams.
Reporting requirements for A-133 audits are similar to those for A-128
audits. However, unlike A-128, in the A-133 approach the auditor is not
required to report instances of immaterial noncompliance found during test-
ing. Instances of immaterial noncompliance are required to be reported in a
separate written report to the institution. The institution is then required to
submit this list to the appropriate federal agencies, which for instances
found in student aid programs would be the Department of Education.
During the 12 months ending March 31, 1992, the Department of Edu-
cation processed 371 A-133 audits (6 percent of the independent audits
processed by the department).l3
12 The possible exception might be in the audit of the financial information. Sampling of
transactions for testing under A-133 would define the population as all student aid transac-
tions; whereas under A-128 audits, transactions for individual programs determined to be
nonmajor would be excluded from the population, and under the "audit guide," transactions
might be excluded because the individual program is considered immaterial. However, even
under A-133 it may be more efficient to stratify the population by individual program.
13 This information is from the Department of Education's semiannual reports to the Presi-
dent's Commission on Integrity and Efficiency concerning the quality of non-federal audits.
At the time of: this writing, I had not been able to determine how many of the audits were of
student financial aid programs versus other Department of Education programs.
OCR for page 231
APPENDIX F
231
ATTESTATION VERSUS COMPLIANCE OBJECTIVES
The model underlying the approach taken in the independent audit re-
quirements for student financial aid programs is that of the attestation audit.
The attestation model developed from the need for users of organizations'
financial statements to have assurance about the reliability of the informa-
tion in the statements. In this model the management of the organization
makes assertions about the financial condition and activity of the organiza-
tion (i.e., prepares the financial statements for the period). An auditor
independent of the organization then collects evidence regarding those as-
sertions. The evidence collection must be sufficient for the auditor to come
to an opinion regarding the appropriateness of the accounting methods used
in constructing the statements and the presence or absence of significant
error in recording and compiling the period's financial transactions and in
applying these accounting methods. Over the years this basic attestation
model has been extended to go beyond the financial statement assertions to
other areas, such as software, student enrollments, market shares of radio
and television audiences, and rates of return of investments.
The basic attestation model is an output-based quality control mecha-
nism. That is, the model views the financial statement assertions as the
outputs of a process (i.e., the accounting system) that produces a product
(i.e., the financial statements), the components of which (the individual
assertions) are then tested after completion (i.e., when the financial state-
ments have been prepared by the organization). Because of the cost of
taking this approach with large and complex organizations, the approach
has been gradually modified to allow consideration of quality control mechanisms
in the production process (i.e., internal controls). However, the emphasis of
the model remains on output. Only in the past few years, with the issuance
of Statement on Auditing Standards No. 55 (American Institute of Certified
Public Accountants, 1988), have the standards for financial attestation au-
dits required the auditor to give explicit consideration to internal controls.
A risk-based framework (Statement on Auditing Standards No. 47) for
allocating audit resources within the financial attestation audit has also evolved
(American Institute of Certified Public Accountants, 1983~. In this frame-
work, audit risk is defined as the risk that the financial statement will
contain a material misstatement after the completion of the audit. This risk
is set to be relatively low (5 percent or less). Three component risks are
considered to determine audit risk: inherent risk, control risk, and detection
risk. Inherent risk is the likelihood that the financial statement innately will
contain a material error, assuming there are no related internal control struc-
ture policies or procedures. Control risk is the likelihood that the internal
control structure policies and procedures would not prevent or detect a
material error. Detection risk is the likelihood that the auditor's procedures
would not find a material error present in the financial statements. In using
OCR for page 232
232
QUALITY IN STUDENT FINANCIAL AID PROGRAMS
this risk framework to allocate audit resources, the framework is applied at
the individual assertion level as well. Resources are allocated over asser-
tions such that overall audit risk is equal to, or less than, the acceptable
(set) level. Inherent risk and control risk are assessments made by the
auditor rather than a decision variable. However, since assessment of con-
trol risk at less than 100 percent requires testing of control procedures, the
decision whether to consider controls for a specific assertion influences the
resource allocation. Detection risk is a function of the auditing procedures
(i.e., the effectiveness of the test, the sample size, and so on).
The attestation model appears to work well in determining whether the
institution has met the objective of reliable financial information, but it is
not clear whether it is an appropriate model for testing the achievement of
the compliance objective. Unlike reliability of financial information, the
ultimate goal of the compliance portion of the independent audit is not the
verification of the implied assertion that the student financial aid program is
in compliance or that the noncompliance rate is less than "x" percent, but
actual minimizing of noncompliance. Certainly an annual, or biannual,
audit can influence the extent of compliance through the effect the expecta-
tion of an audit has on auditees. However, random audit, or risk-based
audits with a random component, can accomplish the same objectives with
significantly fewer resources.~4
Even keeping within the current attestation framework, a risk-based
approach to the compliance objective could improve the efficient and effec-
tive use of audit resources. Currently, under all three approaches to inde-
pendent audit of institutional compliance, effort is allocated on the basis of
dollar coverage rather than risk of noncompliance. In the "audit guide"
approach, resource allocations for auditing program compliance is deter-
mined by mandatory procedures and minimum sample sizes. Under A-128
and A-133 audits, various coverage rules apply to testing of institutional
controls and compliance. Some indication that the independent audits ex-
pend audit resources with less efficiency and effectiveness than possible is
found in a comparison of average liabilities assessed per audit and average
liabilities assessed per program review (which takes a risk-based approach).
For fiscal year 1989, average assessments per audit were $10,300 compared
with average assessments per review of $36,675. For fiscal 1990, average
assessments per audit were $23,827 compared with $86,243 per program
review.
Movement toward a risk-based approach for A-128 audits is being ad-
vocated by the National State Auditors Association (1992~. The American
Institute of Certified Public Accountants (1992c? has also adopted a risk-
i4 See Baron and Besanko (1984) and Anderson and Young (1988a,b) for demonstrations of
the optimality of randomized strategies.
OCR for page 233
APPENDIX F
233
based approach to compliance auditing in SAS 68, Compliance Auditing
Applicable to Governmental Entities and Other Recipients of Governmental
Financial Assistance. This standard was issued in April 1992 and is effec-
tive for audits of fiscal periods ending after June 15, 1992; hence, details of
its implementation were not complete at this writing. However, the risk
approach is analogous to that in SAS 47 for financial attestation audits
(discussed above); it focuses allocation of resources on attestation of com-
pliance rather than achieving compliance.
ILLUSTRATION OF A RISK-BASED APPROACH
To illustrate the coverage of a risked-based audit approach and to pro-
vide an indication of the variability that exists in the coverage of student
financial aid programs across the three audit types, a description of the
audit plan for the 1992 audit of financial aid programs in Texas public
higher educational institutions is presented.
The audit of student financial aid programs in public colleges and uni-
versities in Texas is conducted by the Office of the State Auditor under a
single audit conducted on a statewide basis (i.e., the A-128 approach). This
audit covers not only the state-supported colleges and universities, but all
state agencies. The objectives of the audit are an opinion on the statewide
financial statements and statewide schedule of federal financial assistance,
a report on internal controls, and an opinion on compliance with specific
requirements applicable to each major federal financial assistance program.
In terms of the compliance objectives, 43 major federal programs must
be audited; 2 student financial aid programs (Guaranteed Student Loans and
Pell Grant programs) are designated as "major" programs.~5 A top-down
approach is used to plan the auditing on all major programs. Under this
approach, audited prior-year federal expenditures are analyzed. Then, audit
work is scheduled at state entities where at least 85 percent of the respec-
tive major program expenditures occurred. However, because of the highly
decentralized nature of the student financial aid programs (44 locations
administer these programs), the 2 major student aid programs are audited on
a three-year cycle. In each year of the cycle, an analysis of prior-year
expenditures is made in order to schedule an audit for at least half of related
expenditures. Thus, in any given year of the cycle, approximately 43
i5 "Major" programs are determined according to size criteria in OMB Circular A-128. In
the state of Texas application of the criteria, any program with federal expenditures of $20
. . . .
million or greater Is a mayor program.
16 The "related expenditures" are the 85 percent of the total for each program. Note that for
the GSL program this does not include expenditures for the Texas GSL Corporation of the
State Higher Education Coordinating Board, which are audited every year because of different
compliance requirements.
OCR for page 234
234
QUALITY IN STUDENT FINANCIAL AID PROGRAMS
percent of the expenditures in the GSL and Pell Grant programs are audited.
Applying these procedures for the GSL program, 23 of the 44 administra-
tive locations are audited over the three years of the cycle, and 9 to 12
locations are audited in any given year. For the Pell Grant Programs, 20 of
the 44 locations are covered over the cycle, and 9 are covered in any given
year (Office of the State Auditor, 1992b).
Within each location selected, a risk-based approach is used to deter-
mine the amount of audit work to be done on each compliance requirement
for major programs. This represents a departure from the "safe harbor"
approach suggested by Compliance Supplement for Single Audits of State
and Local Governments (Office of Management and Budget, 1990b); it
follows instead the risk approach suggested in SAS 68 (paragraphs 63-
73~.~7 The model used to make this determination consists of two main
components: (1) impact and (2) risk analysis of federal compliance require-
ments.~8 The procedures for implementing the model are as follows:
1. Determine compliance requirements.
2. Determine impact of requirements.
3. Assess inherent risk.
4. Gain an understanding of the policies and procedures of the control
structure that are relevant to preventing or detecting material non-
compliance.
5. Assess control risk based on preliminary understanding.
6. Determine level of compliance testing based on impact and risk (both
inherent and control risk).
7. Test control structures and perform compliance testing of individual
transactions.
8. Reassess level of compliance testing (i.e., determine whether an ad-
equate level of audit evidence is obtained) and expand testing, if
necessary.
In this model the auditor makes an assessment of impact (materiality) for
each general and specific compliance requirement by considering (1) rela-
tive effect of the individual requirement on total program expenditures at
the location, (2) significance of the individual requirement to the program's
meeting its primary objective, and (3) the size of the program in absolute
dollars. The three factors are scored on a nine-point scale, the scores are
)7 "Safe harbor" refers to the practice of following all requirements and procedures recom-
mended in the OMB's compliance supplements. If all recommendations are followed, the
federal agencies agree not to question the procedural aspects of the audit.
|8 The impact component is analogous to the notion of materiality in the audit of financial
statements.
OCR for page 235
APPENDIX F
235
combined, and the aggregate score is mapped to a category of low, medium,
or high impact.
Assessment of risk involves assessment of two basic components, con-
trol risk and inherent risk. Control risk is assessed based on the auditor's
knowledge of the various control structures affecting each compliance re-
quirement. Assessment of inherent risk consists of an evaluation of the
individual compliance requirement on six factors:
1. Structure of transactions number, size, and complexity of the trans-
actions for which the compliance requirement applies.
2. Newness of the program for example, a program that has been op-
erating three years or longer without significant change is considered a low
risk with respect to this factor.
3. Program carried out through subrecipients the greater the percent-
age of expenditures carried out through subrecipients the greater the risk.
4. Program contracts for goods and services the greater the percent-
age of expenditures carried out through contractors the greater the risk.
5. Program subject to federal program review for programs that re-
ceive routine program reviews by a federal agency, the risk is low; if the
program review occurs every two to three years, the risk is moderate; and
the risk is high if the program has never received a program review.
6. Expectation of noncompliance if the program has not been cited
for an instance of noncompliance in previous audits, the risk is low; if
material noncompliance was found in audits in the past three years, the risk
is high.
The risk evaluation score on each of the six factors is combined to obtain an
overall inherent-risk score. The inherent-risk score and the control-risk
score are then averaged to obtain an overall risk score, which is then mapped
to a category of low, moderate, and high risk.
A table is then used to map the nine possible impact/risk combinations
to a level of test work for nontransaction-based requirement and sample
sizes for transaction-based requirements. For example, a requirement as-
sessed as low impact and low risk is tested with a sample size of 5 transac-
tions; a requirement assessed as high impact and high risk is tested with a
sample of 75 transactions (Office of the State Auditor, 1992a). Further,
when major programs are tested at more than one location, auditors at each
location make the risk assessments. They then modify the recommended
sample size given by the model for the respective locations by the location's
proportional share of total program expenditures.
Other Title IV programs, such as the Perkins loan and Supplemental
Educational Opportunity Grants programs, are treated in the Texas single
audit as nonmajor programs. For these programs the A-128 audit requires
OCR for page 236
236
QUALITY IN STUDENT FINANCIAL AID PROGRAMS
that the auditor obtain an understanding of the policies and procedures of
the internal control structure that are relevant to preventing or detecting
noncompliance. Specific federal compliance requirements are also tested
when transactions involving these programs are selected as part of some
other audit test.~9 Because of the diverse internal control structures and the
large number of nonmajor federal programs in the Texas statewide audit
(183 program locations), a three-year cycle is used to meet the requirements
of obtaining an understanding of the internal control structure. One team of
auditors is assigned to audit the nonmajor programs across all locations.
This team gains an understanding of internal control structures by review-
ing federal "control" questionnaires completed by selected agencies and
higher educational institutions. The nonmajor audit team reviews the ques-
tionnaires for adequacy, determines if follow-up is required, and performs
any additional work.
As this description of the Texas A-128 audit plan illustrates, the extent
of audit coverage any location with a student financial aid program would
receive varies greatly depending on the type of audit approach taken and the
way in which the audit unit is defined (e.g., the GSL program in all public
universities within a state versus the GSL program at a particular institu-
tion). If, for example, the state of Texas elected to exclude its institutions
of higher education from the statewide audit and cover them under the A-
133 or audit-guide approach, significant additional audit resources would be
required because of the change in what constitutes a major program and the
loss of economies of scale in moving from verifying a single set of asser-
tions about one large population to verifying multiple assertion sets.20 For
example, under an A-133 audit, all student financial aid programs at each
location would be covered, because under this approach the individual pro-
grams are combined and covered as a whole. In the A-128 audit as imple-
mented in the state of Texas, however, even those programs considered to
be major do not receive coverage in approximately 50 percent of the loca-
tions.
Such differences in coverage matter only in terms of resource require-
ments if one takes as the objective of the independent audit to attest to the
institution's financial statement and compliance rates. However, if the ob-
jective of the independent audit is to improve compliance rates, one might
i9 These are generally only those compliance requirements related to allowability and eligi-
bility.
20 The reason such large economies of scale are realized by moving to assertions about a
larger population is the desire to keep constant audit quality, as defined by the precision of the
assertion in terms of percentage of the assertion quantity and not absolute quantities. Thus,
one wants the assertion to between +10 percent of the dollar value of the annual program
expenditures rather than the assertion to be accurate with a range of +$20,000.
OCR for page 237
APPENDIX F
237
question whether the A-128 audit achieves this objective. Discussion with
internal audit directors at several public universities in Texas (two at insti-
tutions selected for coverage in the statewide audit plan and one at an
institution that is not covered) revealed that they regard the student finan-
cial aid programs as very high risk in their own audit plans and intend to
devote considerable resources to auditing compliance despite the coverage
in the statewide audit. Further, even though the Texas single audit incorpo-
rated a risk-based approach, it did so only within location. As in all three
approaches, the emphasis remains on dollar coverage rather than directing
resources to those areas with the weakest compliance.
ALTERNATIVES TO CURRENT APPROACHES
TO AUDITING COMPLIANCE
In this section three alternative approaches to the compliance audit
requirement are briefly described and the advantages and disadvantages of
each are discussed. The alternatives are (1) a risk-based approach to the
audit-guide, A-128, and A-133 approaches, (2) a certification model, and
(3) a centralized risk-based approach.
A Risk-Based Approach to the Audit Guide,
A-128, and A-133 Audits
In this alternative the current approach of combining the audit of the
financial statement with the compliance audit is continued. However, the
extent of compliance testing that is done for a particular compliance re-
quirement is determined using the compliance risk model presented in SAS
68 (paragraphs 63-73~. The approach used in the Texas audit plan described
above is an example of this approach. Such an approach could be directly
applied to the audit guide and A-133 approaches in cases in which student
financial aid is considered a major program, but it does not solve the prob-
lem of the A-128 audit in allocating resources across multiple locations.
A risk-based approach can be taken even a step further, however, if one
relaxes the current A-128 requirement that a "representative number" of
transactions be selected from each major federal program for compliance
testing. As a recent draft of a position paper by the National State Auditors
Association (1992:12-13) points out:
In complying with requirements of the Single Audit Act and Circular A-
128 we have learned that many of the same federal programs are audited as
major programs in all states. In addition, certain specific programs meet
the requirement for classification as major within particular states year
after year. These programs have been thoroughly audited, and generally
OCR for page 238
238
QUALITY IN STUDENT FINANCIAL AID PROGRAMS
state program staff have corrected the major problems from early audits.
Thus, we are experiencing a decline in questioned or disallowed cost.
The position paper goes on to note that while major programs are given
thorough and consistent audit coverage, nonmajor programs are not. In
fact, there is no assurance that they will be given any audit coverage. Yet,
at the same time, the nonmajor programs constitute the vast majority of
federal programs in each state.
To correct this weakness, the position paper proposes a departure from
the current notion of major and nonmajor federal programs. The auditor
would test for material noncompliance in the full population of federal
programs using a combination of stratified sampling and analytic proce-
dures. A sample of transactions from all federal programs would be strati-
fied so as to obtain a significant portion of the sample from the largest
programs. A second group of transactions would be drawn from the smaller
programs. And a third group of sample transactions would be selected from
among those programs perceived by the auditor to have an unusually high
risk of noncompliance. In addition, analytic procedures would be applied to
the full population of federal assistance programs. These procedures might
indicate areas or programs with increased or decreased levels of risk from
those assumed during the planning phase of the audit.
A Certification Model
This alternative is based on the model for ensuring compliance in the
European Economic Communities "Eco-audit" scheme and by internal audi-
tors in organizations implementing total quality management programs. The
approach consists of relying on those people actually involved in the pro-
cess to take more responsibility for the quality assurance of the process.
Critical points in the process are "audited" or certified by people who are
independent of the process, but not necessarily independent of the organiza-
tion. For example, in the "Eco-audit" scheme, management at each site
participating in the scheme prepares an environmental statement that in-
cludes a description of significant environmental issues, a summary of the
figures on pollutant emissions and the like, a presentation of the organization's
environmental policies and specific objectives for the particular site, and an
evaluation of the environmental performance of the protection system implemented
at the site. This statement is then verified by an accredited environmental
auditor (i.e., one who meets specifically outlined standards of training).
This auditor can be an employee of the organization (if the organization
has set up an appropriate system to give independence from the activity
audited, such as an internal audit function) or external auditor (Council of
the European Communities, 19921.
The important modification in this approach is that the emphasis on the
OCR for page 239
APPENDIX F
239
"auditor" is on being qualified to conduct the audit rather than organiza-
tional independence. One of the problems frequently encountered with the
independent audit of student financial aid programs is that the independent
auditors do not understand the program compliance requirements or finan-
cial aid operations. By requiring more specific accreditation of the auditor,
the quality of the audit process is improved. Allowing the audit to be
conducted by auditors who are direct employees of the organization, yet
independent of the activity, can increase the quality of the audit because the
auditor has knowledge of the institution and the industry.
This type of approach is already in use at some institutions with student
financial aid programs. Under the "sample certification" requirement in the
Department of Education's Institutional Quality Control Pilot Project, a "third
party," such as an institutional auditor external to the financial aid office,
certifies that the sample has been drawn according to procedure (U.S. De-
partment of Education, 1991:3-4 to 3-7~. Extensions of this technique to
other compliance areas would seem productive.
A Centralized Risk-Based Approach
Consideration should also be given to centralizing the compliance audit
activity either at the federal level (in the Department of Education) or at the
state level (such as with a state postsecondary review entity, as Part H of the
1992 reauthorization of the Higher Education Act proposes).2i By central-
izing the responsibility for the audit of compliance, audit resources could be
targeted most effectively to those areas where audit would provide the most
benefit in identifying compliance problems and proposing corrective action.
Further, by including a random component in the selection of program loca-
tions for audit,22 the benefit of increased compliance due to the anticipatory
effects of audit can still be realized.
During the 1980s, organizations began to develop risk models to im-
prove the allocation of internal audit resources across the organization. The
objectives of internal audits are considerably broader than those of the fi-
nancial attestation audit (i.e., audits of financial statements). They include
not only reliability of information, but also efficient use of resources, effec-
tiveness in achieving goals and objectives, safeguarding of organizational
assets, and compliance with regulations and procedures. Rather than defin-
21 The state postsecondary review as proposed in Part H of the 1992 reauthorization legisla-
tion is not intended to centralize the performance of the audits of compliance requirements but
to centralize eligibility review.
22 Here "location" means an audit unit, that is, a unit responsible for the administration of a
program. There could be two or more geographical sites to a location, and there could be
multiple locations at one geographical site.
OCR for page 240
240
QUALITY IN STUDENT FINANCIAL AID PROGRAMS
ing risk in terms of the likelihood of material error in financial statements
(as risk is defined in SAS 47) or of material noncompliance (as compliance
risk is defined in SAS 68), risk is defined as the uncertainty or vulnerability
that an event could adversely affect the organization (Institute of Internal
Auditors, 19921. In terms of compliance, the goal is to identify areas of
greatest exposure so that the risk of noncompliance can be minimized or
managed. Thus, in the internal audit setting the focuses less on maximizing
coverage than on targeting areas of greatest exposure so as to minimize risk.
Such an approach is similar to that employed by the Department of Educa-
. . ~ . . . .
lion In a" .locatlng its program review resources.
The goal of such risk models is to provide an assessment of the risk at
each audit location (i.e., program administrative unity. For example, in
applying this to student financial aid programs, the risk of noncompliance
of each program at each administrative site would be assessed using a model
such as the one developed for the Texas single audit.23 Audit resources are
then assigned to locations with the highest risk.
This procedure can also be modified to include a strategic component
by stratifying the locations into risk classes. For the highest risk class, all
locations are audited that year. In the next highest risk class, 60 percent are
randomly selected for audit. The process continues with random selection
of 15 percent in the next highest risk class and 5 percent of those in the
lowest risk class.24 Thus, coverage of a particular location is always pos-
sible, thereby providing the anticipatory effect on auditees' behavior (see
Anderson and Young, 1 988a; Siers and Blyskal, 1987~.
CONCLUSIONS AND RECOMMENDATIONS
Study of the auditing literature, the guidance given for performing the
compliance portion of the independent audit, and discussion with various
individuals in the student financial aid and audit communities indicate that
there is some question as to the consistency of audit coverage and the
effectiveness of the compliance portion of the independent audit.
Based on the foregoing analysis, several recommendations can be made
for improving the effectiveness of audits for achieving compliance.
1. Implementation of a risk-based approach to individual compliance
23 Models with greater sophistication have been developed in industry, but that sophistica-
tion comes in techniques used to identify the factors to be included in the model rather than the
sophistication of the procedures used by the individual auditor for assessing each factor at a
location. See Siers and Blyskal (1987) for the model used by E.I. Du Font.
24 Coverage over time is also assured because one of the factors in most risk models is the
amount Q; time since the last audit. Thus, even those locations initially assessed as low risk
will receive coverage as the time since their last audit increases.
OCR for page 241
APPENDIX F
241
requirements, such as suggested in SAS 68, would improve the effective-
ness and efficiency of the compliance portion of the independent audit.
2. Extension of a risk-based approach across audit locations would fur-
ther improve the use of audit resources in meeting the objectives of compli-
ance audits. To maximize the benefits of this approach, consideration might
be given to centralizing the compliance audit at the state or national level.
3. Increasing use of "certification" would reduce the need for third-
party audits to meet compliance objectives. Such an approach places more
responsibility for quality assurance on those actually involved in the pro-
cess. Critical aspects of the quality assurance program can be "certified" by
people independent of the student financial aid office but not necessarily
from outside the institution.
REFERENCES
American Institute of Certified Public Accountants
983
988
Audit Risk and Materiality in Conducting an Audit. Statement on Auditing Stan-
dards No. 47. New York: American Institute of Certified Public Accountants.
Consideration of the Internal Control Structure in a Financial Statement Audit.
Statement on Auditing Standards No. 55. New York: American Institute of
Certified Public Accountants.
1992a Audits of State and Local Governmental Entities Receiving Federal Financial As-
sistance. Statement of Position 92-7- Supplement of AICPA Audit and Account-
ing Guide, Audits of State and Local Governmental Units. New York: American
Institute of Certified Public Accountants.
1992b Compliance and Internal Control Reporting for Student Financial Assistance Pro-
grams Using Service Organizations. Proposed Statement of Position Proposed
Amendment to AICPA Audit and Accounting Guide, Audits of Colleges and Uni-
versities. New York: American Institute of Certified Public Accountants.
1992c Compliance Auditing Applicable to Governmental Entities and Other Recipients of
Governmental Financial Assistance. Statement on Auditing Standards No. 68.
New York: American Institute of Certified Public Accountants.
Anderson, U. and R. Young
1988a Internal audit planning in an interactive environment. Auditing: A Journal of
Practice & Theory 8(Fall):23-42.
1988b Strategic auditing: A different game. Internal Auditing 4(Fall):14-24.
Baron, D. and D. Besanko
1984 Regulation, Asymmetric Information, and Auditing. Rand Journal of Economics
15 (Winter) :447 -470.
Council of the European Communities
1992 Eco-audit scheme. Proposal for Council Regulation (EEC). COM(91)459. Offi-
cial Journal of the European Communities No. C 76:2-13.
Institute of Internal Auditors
1992 Risk Assessment. Statement on Internal Auditing Standards No. 9. Altamonte
Springs, F1.: Institute of Internal Auditors.
National State Auditors Association
1992 Position Paper - Single Audit Act. Draft, March 1992, National State Auditors
Association, Lexington, Ky.
OCR for page 242
242
QUALITY IN STUDENT FINANCIAL AID PROGRAMS
Office of Management and Budget
1985 Circular A-128, Audits of State and Local Governments. Washington, D.C.: Of-
fice of Management and Budget.
1990a Circular A-133, Audits of Institutions of Higher Education and Other Nonprofit
Institutions. Washington, D.C.: Office of Management and Budget.
1990b Compliance Supplement for Single Audits of State and Local Governments. Wash-
ington, D.C.: Office of Management and Budget.
1991 Compliance Supplement for Single Audits of Educational Institutions and Other
Nonprofit Organizations. Washington, D.C.: Office of Management and Budget.
Office of the State Auditor
1992a Impact and Risk Analysis of Federal Compliance Requirements. Austin, Tex.:
Office of the State Auditor.
1 992b 1992 Statewide Audit Plan. Austin, Tex.: Of flee of the State Auditor.
President's Council on Integrity and Efficiency
1992 Questions and Answers on OMB Circular A-133. Statement No. 6. Standards
Subcommittee. Washington, D.C.: President's Council on Integrity and Efficiency.
Siers, H. and J. Blyskal
1987 Risk management of the internal audit function. Management Accounting 68(Feb-
ruary):29-35.
U.S. Department of Education
1990 Audit Guide: Audits of Student Financial Assistance Programs. Office of Inspec-
tor General, Office of Audit. Washington, D.C.: U.S. Department of Education.
1991 Institutional Quality Control Workbook. Division of Quality Assurance. Wash-
ington, D.C.: U.S. Department of Education.
Representative terms from entire chapter:
student financial
