ARCHIVED INFORMATION -- Fiscal Year 1997 Annual Accountability Report
|UNITED STATES DEPARTMENT OF EDUCATION
OFFICE OF INSPECTOR GENERAL
REPORT ON INTERNAL CONTROLS
To the Honorable Richard W. Riley
Secretary of the U.S. Department of Education
We have audited the financial statements of the U.S. Department of Education (Education) as of and for the fiscal year ended September 30, 1997, and have issued our report thereon dated May 29, 1998.
We conducted our audit in accordance with Government Auditing Standards, issued by the Comptroller General of the United States, and Office of Management and Budget (OMB) Bulletin 93-06, "Audit Requirements for Federal Financial Statements," as amended. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement.
The management of Education is responsible for establishing and maintaining internal controls. In fulfilling this responsibility, estimates and judgments by management are required to assess the expected benefits and related costs of internal control structure policies and procedures. The objectives of internal controls are to provide management with reasonable, but not absolute, assurance that: (1) transactions are properly recorded and accounted for to permit the preparation of reliable financial statements and to maintain accountability over assets; (2) funds, property, and other assets are safeguarded from loss from unauthorized use or disposition; (3) transactions, including those related to obligations and costs, are executed in compliance with laws and regulations that could have a direct and material effect on the financial statements and (4) data that support reported performance measures are properly recorded and accounted for to permit preparation of reliable and complete performance information.
In planning and performing our audit of the financial statements of Education for the year ended September 30,1997, we obtained an understanding of the internal control structure. With respect to the internal control structure, we obtained an understanding of the design of relevant policies and procedures and whether they have been placed in operation, and we assessed control risk in order to determine our auditing procedures for the purpose of expressing our opinion on the financial statements and not to provide an opinion on the internal control structure. Accordingly, we do not express such an opinion.
We noted certain matters involving internal controls and their operation that we consider to be reportable conditions under standards established by the American Institute of Certified Public Accountants and OMB Bulletin 93-06, as amended. Reportable conditions involve matters coming to our attention which represent significant deficiencies in the design or operation of internal controls that, in our judgment, could adversely affect the entity's ability to meet the internal control objectives stated in the third paragraph of this report.
Certain reportable conditions are also considered to be material weaknesses. A material weakness is a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that errors or irregularities in amounts that would be material in relation to the financial statements being audited or material to a performance measure or aggregation of related performance measures may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.
Presented in Figure 1 is a summary of the material weaknesses and reportable conditions that we noted. These weaknesses are discussed in detail in the balance of this report.
Figure 1: Summary of Material Weaknesses and Reportable Conditions
|Issue Area||Summary Control Issues|
|Loan Estimates for
|Education Needs to Establish the Validity of Its Principal
Data Store to Provide a Basis for Preparing Reliable
Loan Estimates in the Future and Needs to Establish
Sufficient Controls to Detect Material Errors in Its Loan
|FFEL Program -
|Education Needs to Complete Steps Underway for
Improving Oversight of Guaranty Agencies.
|Fund Balances with
|Education's Methods for Reconciling Differences Between the Budget Clearing Account -Suspense Cash and Treasury Need Improvement.|
|Improvements Are Needed to the Financial Reporting
Process So That Education Can Meet the GMRA
|Education Needs to Establish Controls Over the Analysis
and Reporting of Performance Measures.
|Oversight and Analysis of Audits of Postsecondary
Educational Institutions Need Improvement.
|Improvements are Required in Security Over Financial
Systems and in Disaster Recovery Capabilities.
Our consideration of internal controls would not necessarily disclose all mafters that might be reportable conditions and, accordingly, would not necessarily disclose all reportable conditions that are considered to be material weaknesses as defined above. We also noted other matters involving internal controls that were not reportable conditions which we will report to the management of Education in a separate briefing.
This report is intended for the information of the management of Education, and the Congress. However, this report is a matter of public record and its distribution is not limited.
Steven A. McNamara
Acting Deputy Inspector General
May 29, 1998
Education Needs to Establish the Validity of Its Principal Data Store to Provide a Basis for Preparing Reliable Loan Estimates in the Future and Needs to Establish Sufficient Controls to Detect Material Errors in Its Loan Estimates. (material weakness)
Education's fiscal year 1997 consolidated financial statements include significant loan estimates related to its student loan programs. These are the $13.3 billion estimated liabilities for loan guarantees under the Federal Family Education Loan (FFEL) Program, $12.3 billion allowance for defaulted guaranteed loans, $1.2 billion allowance for direct loans, and the related guaranteed and direct loan subsidy expenses of $2.2 billion and $0.4 billion, respectively.
In preparing its fiscal year 1997 consolidated financial statements, Education prepared two separate sets of estimates of the estimated liabilities for loan guarantees under the FFEL Program, allowance for FFEL Program defaulted guaranteed loans, allowance for direct loans, and the related guaranteed and direct loan subsidy expenses. One set of estimates was based on data maintained in Education's National Student Loan Data System (NSLDS). The other was based on data provided by ten of the larger guaranty agencies. Education's expectation was that the two sets of estimates would be similar, and that the loan estimates based on data from the ten guaranty agencies would serve to validate the estimates based on NSLDS data. We applied our auditing procedures to the loan estimates based on the data provided by the ten large guaranty agencies. We determined that this approach was more practicable than a direct validation of the data in NSLDS.
In response to the results of our auditing procedures, Education made adjustments to the loan estimates based on data provided by the ten large guaranty agencies, causing them to differ materially from the estimates based on NSLDS data. Education recorded the adjusted loan estimates based on data provided by the ten large guaranty agencies in its fiscal year 1997 financial statements. Although we determined that the data provided by the ten large guaranty agencies was suitable to support the loan estimates included in the fiscal year 1997 financial statements, the usefulness of this data will diminish in fiscal year 1998 and beyond. Education's ability to continue to prepare auditable loan estimates for its financial statements depends on establishing a reliable store of up-to-date historical loan data.
Education's own procedures for preparing its loan estimates were not sufficiently rigorous to detect this material misstatement, and the procedures it does perform are not adequately documented to ensure that significant errors in the loan estimates will be detected. We found that:
This was the first time Education has been able to produce auditable loan estimates for its consolidated financial statements. As Education learns more about its loan programs and is able to receive additional quality data, it should continue to refine its data collection and modeling techniques. This would help improve the reliability of estimates for budgeting and financial reporting and make them more effective tools for managing Education's loan programs. For example, we found that recent trends on consolidations of defaulted loans were significant to the loan estimate for fiscal year 1997. If they are expected to continue to be significant, then separate modeling of their impact on future collections and defaults could enhance the overall reliability of the loan estimates. We also found that due to the limited number of years that the Direct Loan Program has been in existence, Education used FFEL Program data to develop assumptions for the loan estimates for the Direct Loan Program. As more experience with the Direct Loan Program is gained, preparing loan estimates from direct loan data would enhance their reliability.
A strategic plan for calculating the loan estimates is critical for Education to develop supportable loan estimates and meet the GMRA deadline of March 1st. We recommend that Education:
1. Review the current budget submission and determine if a re-estimate is necessary based on the knowledge gained preparing the loan estimates for financial statement purposes.
2. Develop a strategic plan that establishes a) a timeline for GMRA, b) assigned responsibilities to individuals and groups within Education's offices, and c) important milestones for each critical phase (data gathering and validation, assumption development, running the model.)
3. Data gathering and validation
6. Establish and coordinate among the offices (Office of the Chief Financial Officer, Office of Postsecondary Education and Office of the Under Secretary) clearly defined roles and responsibilities for staff and groups within these offices, which are responsible for developing loan estimates related to Education's loan programs. Provide staff training on Education's formal policies and procedures.
7. As more experience with the Direct Loan Program is gained, start to develop assumptions from the direct loan data instead of using the FFEL assumptions. In the interim, perform analytics comparing the direct loan estimates to actual experience.
8. As loan estimates are produced for budget and financial statement purposes, Education needs to perform quality assurance reviews of loan estimates and document the results of these reviews. One way to do this is by developing checklists which include significant analytics that could be performed on the loan estimate.
Education Needs to Complete Steps Underway for Improving Oversight of
Guaranty Agencies. (material weakness)
Guaranty Agencies (GAs) play a critical role in carrying out FFEL Program operations. There are currently 36 GAs participating in the program. These State and not-for-profit institutions are responsible for reviewing student applications and approving loans, reviewing and paying claims to lenders when defaults occur, and collecting on defaulted loans. Depending on their claims experience and the year the loan originated, GAs are reimbursed by Education for up to 100% (98% for loans disbursed on or after October 1, 1993) of claims they pay to lenders. At Education's discretion, GAs are also reimbursed for administrative expenses incurred in carrying out FFEL Program operations (equal to 0.85% of the new loan volume). GAs are required to remit to Education at least 70% of amounts collected on defaulted loans. They are permitted to retain the remaining portion of collected amounts to cover expenses associated with collections. But the amounts not remitted to Education and not used for collection and other allowable expenses are required to be held in a reserve account, known as the "Guaranty Agency Reserves" an account which, by statute, is considered an asset of Education.
Because the GAs are crucial intermediaries in delivering guaranteed loans to students, and because their financial and credit management activities so closely interact with those of Education, it is important that sufficient internal controls be in place to monitor their operations and properly account for transactions and assets executed or held on Education's behalf. However, we identified instances where internal controls need improvement, or where Education needs to complete action plans it has already initiated to address internal control weaknesses.
Education Does Not Yet Have Effective Controls Over Receivables for Defaulted Loans and GA billings.
When borrowers default on loans, lenders submit claims and are reimbursed by GAs. When Education subsequently reimburses GAs, in most cases for almost the full amount of the claims paid, Education records an asset in its financial records to reflect the money it is now owed by the borrowers who defaulted. On Education's behalf, GAs initiate collection efforts on the defaulted loans and are required to remit at least 70% of any amounts collected to Education. Though GAs are, in effect, performing a loan servicing function for Education, defaulted loans are Education's assets. Thus Education must have controls in place to ensure the amounts owed and collections recovered are accurately reflected in its accounting records.
Education's general ledger accounts for loans receivable activity reported by GAs on an aggregate basis (subsidiary records by GA are not maintained). The primary sources of transactions affecting the loans receivable balance are obtained through monthly billings to Education on form 1 1 89 and quarterly submissions by the GAs on the form 1 1 30. As activity from these forms is posted to the general ledger, Education increases or decreases its loans receivable balance in the general ledger, accordingly. For example, a default payment reported on the form 1 1 89 for a guaranteed loan increases the loans receivable balance and a collection on a defaulted loan reported on the form 1 1 89 decreases the loans receivable balance. Default payments to GAs in fiscal year 1997 totaled $3.3 billion and collections on defaulted loans by GAs totaled $1.0 billion.
While Education can review GA billings for obvious errors or significant fluctuations, its automated systems are incapable of independently checking detailed supporting information for the billings. Instead, to a large degree, Education relies upon audits of GAs performed by private Independent Public Accountants (IPAS) and State Auditors (auditors) to ensure the integrity of billings from GAs. In conjunction with the financial statement audits of the FFEL Program for fiscal years 1992 - 1994, the General Accounting Office (GAO) and the Office of Inspector General (OIG) reviewed the extent of the IPAs' and auditors'coverage of the GAs' billings to Education. We reported (GAO/AIMD-94-131 and ACN 17-30302) that based on interviews with the IPAs and auditors and review of their working papers, that the "... auditors conducted only limited tests of the accuracy of the billings reports of the guaranty agencies." The GAO and OIG reported this condition as a material weakness for fiscal years 1992 - 1994. Based upon work performed during the 1995 - 1997 audits, this condition has not yet been resolved.
It appeared as though IPAs and auditors did not focus their testing on GA billings to the degree Education desires. Even though Education's guidance indicated billing information should be tested, the requirements were not specific enough with respect to the level of desired testing. Recognizing this, in August of 1996, OIG issued revised audit guidance, entitled Compliance Supplement - Federal Family Education Loan Program - Guaranty Agencies (84.032), in a Dear Colleague letter to all GAs participating in the FFEL Program. This guidance became retroactively effective for fiscal years on or after June 30, 1996. On June 30, 1997 the Office of Management and Budget (OMB) also issued this guidance in its OMB Circular A-1 33 compliance supplement although effective for GA fiscal years ending on or after June 30, 1997. Both require auditors of GAs to specifically audit and report on the integrity of the billings submitted to Education. This guidance should significantly improve Education's assurance as to the propriety of GAs' billings. To use this guidance as an effective monitoring tool, Education needs to receive reports on audits under this guidance and to perform quality control reviews on these audits to ensure that the guidance has been implemented properly. However, there is no evidence that GA audit reports were performed in accordance with Education's compliance supplement. Audit reports under
the OMB Circular A-133 compliance supplement would not yet be available to Education until fiscal year 1998. Until this guidance has been fully implemented, audits of GAs will not provide Education sufficient information to verify the integrity of GAs' billings.
Independent of their monthly billings on the form 1189, the GAs report to Education the loans receivable balance from their records on the quarterly form 1130. Loans and all associated rights and title are assigned to Education once collection efforts have been exhausted by the GAs. The form 1 1 30 should be used as a verification check to ensure the total defaulted loans receivable as recorded in its general ledger agrees with the defaulted loans receivable reported by the GAs to Education. Currently, Education is unable to fully reconcile loans receivable from its general ledger to cumulative balances reported on the form 1130. Education attributes the differences between the general ledger and the 1130 loans receivable balances to timing and instructional differences between the two forms. For example, the form 1189 reports claims requested by the GAs from Education where the form 1130 reports the actual cash received by the GAs from Education.
As another example, Education maintains loan level detail for the assigned loan portfolio on the Debt Collection Management system (DCMS). However, Education currently does not perform a reconciliation between DCMS and assigned loans reported by the GAs on form 1130. Independent confirmations with GAs of assigned loans disclosed a $153 million difference from DCMS at fiscal year end. An initiative is currently underway to revise the Education forms 1189 and 1130 to make the forms easier to reconcile, especially for the defaulted loans receivable balances.
Accountability Over Reserves Maintained by GAs Would Be Improved if Accrual-Basis Information Were Also Required
Education provided the initial funding to establish the GAs and is the principal source of ongoing GA funding. Generally, assets accumulated by the GAs in carrying out their duties for Education that are not required to be immediately remitted are retained by the GAs in a reserve account. Even though Education does not hold these reserves, they are still considered assets of Education. The Higher Education Act (Sec. 422 (g) (1)) states:
"Notwithstanding any other provision of law, the reserve funds of the guaranty agencies, and any assets purchased with such reserve funds, regardless of who holds or controls the reserves or assets, shall be considered to be the property of the United States..."
The Higher Education Act also specifies conditions under which the Secretary can require the GAs to return these funds. These conditions have been exercised in the past, whereupon the Secretary has required return to the Federal government all or a portion of GA reserve funds. These reserves are reported to Education, as defined by 34 CFR Chapter VI Section 682, using the cash instead of accrual basis of accounting. Other information reported on form 1130 is not sufficient to calculate an accurate accrual basis reserve balance. We believe controls over GA reserves would be strengthened if Education mandated that accrual accounting be used for purposes of reporting reserve balances to Education.
To audit amounts reported as guaranty agency reserves and defaulted loans receivable, we applied auditing procedures to relevant data provided to Education by ten of the larger guaranty agencies. The guaranty agencies provided this data in response to a request from the National Council of Higher Education Loan Programs. This data reflected activity through September 30, 1996. We determined that this data was sufficiently current to support the audit of guaranty agency reserves and loans receivable through September 30, 1997. However, the usefulness of the data that the ten large guaranty agencies provided to Education will diminish in fiscal year 1998 and beyond. Education's ability to continue to support the amounts it reports as guaranty agency reserves and loans receivable depends on establishing a reliable store of up-to-date records of these amounts.
Education Is Implementing Many Needed Improvements
Education recognized the need to improve GA oversight before our audit commenced. Several corrective actions are underway to address the conditions herein reported. In addition to having issued expanded guidance for audits of GAs and undertaking the revisions of forms 1 1 89 and 1 1 30, Education will use NSLDS to track all activity and balances for individual loans. This system will be able to determine the reasonableness of billings from GAs and to better control Education's assets (i.e., loans receivable and reserves) held by the GAs.
We recommend that Education:
Education's Methods for Reconciling Differences Between the Budget Clearing Account - Suspense Cash and Treasury Need Improvement. (material weakness)
A major objective of internal controls is to ensure the integrity of the underlying accounting data supporting the financial statements. An important control in this regard is the periodic reconciliation of Education's accounting records with the records maintained by the Department of the Treasury, which effectively serves as Education's bank. Proper reconciliations provide the assurance that all disbursement, receipt and appropriated fund transactions, processed on Education's behalf by Treasury, are properly recorded in Education's accounting records.
For many years, Education has had difficulty in identifying and resolving differences between its accounting records and cash transactions reported by Treasury. There are several underlying reasons. One reason is that formal reconciliation procedures were not always current. Another is that reconciliations were inconsistently performed while identified differences were not always adequately explained, resolved, and posted to Education's general ledger. During fiscal year 1996, Education addressed some of these issues raised in the prior year report by undertaking an extensive reconciliation project that resulted in numerous adjustments, aggregating billions of dollars, to adjust its cash balance, as recorded in its general ledger, to agree with Treasury. A major portion of this project was the first-ever reconciliation of Education's Budget Clearing Account - Suspense (BCAS) with Treasury. Education uses the BCAS to temporarily hold transactions which cannot be identified to a specific fund or account. These transactions are supposed to be researched and then cleared from the BCAS when a final determination is made. The adjusted BCAS balance as of September 30, 1997 equaled $117 million or.3% of Education's total fund balance ($39 billion).
Despite earlier progress, Education did not continue to periodically reconcile the BCAS with Treasury's records during fiscal year 1997. Thus, unreconciled differences continued to accumulate between Education's general ledger balances and Treasury balances. At fiscal year end, this difference approximated $179 million (net). Research of this difference continued through the first half of fiscal year 1998, contributing to Education's missing the Government Management Reform Act (GMRA) of 1994 deadline for submission of audited fiscal year 1997 financial statements. The reconciliation process was further complicated because this difference was not limited to fiscal year 1997 activity. We found that a major portion ($138 million net) of the total difference of $179 million was related to activity prior to September 30, 1996 and identified in the September 30, 1996 year-end reconciliation. Education had not posted adjustments at a detailed level to the general ledger as planned to correct reconciling differences identified during the September 30, 1996 reconciliation. The remainder of the $179 million difference was identified by Education as reconciled differences equaling $27 million (net) while $14 million (net) related to unreconciled differences as of September 30, 1997.
We were able to conclude that the amount of the remaining unreconciled difference did not indicate a significant risk that the fiscal year 1997 financial statements were materially misstated. However, Education's practice of delaying reconciliation of this account until after the end of the fiscal year exposes it to the risk that material errors or irregularities could occur and not be detected on a timely basis. Accountability over financial records is lost when reconciliations are either not fully performed (i.e. adjusting entries are not posted to general ledger balances) or performed inconsistently. Education had begun the initial process of reconciling the BCAS with Treasury in fiscal year 1996. If Education had leveraged this knowledge, a reconciliation process for fiscal year 1997 would have been more fully established and reconciling differences for fiscal year 1997 would have been minimized. However, weaknesses in Education's internal controls over the reconciliation process prevented the timely detection and correction of errors in the underlying accounting records. Further, the delays experienced in completing the reconciliation was one of several factors which prevented Education from submitting audited financial statements by the statutory deadline of March 1"' established by the GMRA. Finally, remaining in-balance or reconcilable with one's bank account is perhaps the most fundamental and important control for assuring the accounting records remain consistent with cash transactions. At a minimum, quarterly reconciliations, followed by prompt action to resolve differences, are necessary to ensure the reliability of accounting data and management control over cash transactions.
Education attributes its reconciliation problems to inadequate integration between its general ledger system and its payments and funds control systems that are the original points of entry for many cash transactions. These integration problems result in certain cash transactions not being properly and timely transferred from the originating systems to Education's general ledger system, thus causing Education's cash balances as recorded in its general ledger to differ with Treasury. Moreover, Education's general ledger system was not well integrated with external systems Education uses to process its payroll and administrative disbursements, systems that interface directly with Treasury. To correct its financial system problems, Education is implementing the Education Central Automated Processing System (EDCAPS). EDCAPS is expected to improve integration between Education's general ledger and other financial systems; and Education expects it to reduce the problems in posting of transactions to the general ledger that currently exist. EDCAPS is scheduled to be fully implemented during fiscal year 1998.
We also noted that a contributing factor was the lack of current policies. The procedure manual used for tracking, researching, and clearing entries in the BCAS was developed in 1994. Since that time, Education has experienced changes that could affect this manual. Examples would include the growth of the Direct Loan Program since its inception in 1994 thereby increasing the number of related transactions, and the implementation of a new general ledger system as part of EDCAPS in October 1997.
Due to events such as these, Education needs to update the present manual.
Education should continue to improve its present procedures for reconciling the BCAS with Treasury. As a resource, Education may wish to review the General Accounting Office's (GAO) recently issued memorandum to the Inspectors General, GAO/AIMD-97104R, regarding the reconciliation of fund balances with Treasury. We also recommend that Education:
Improvements Are Needed to the Financial Reporting Process So That Education Can Meet the GMRA Deadline. (material weakness)
The Government Management Reform Act (GMRA) of 1994 established a statutory deadline of March lst for audited financial statements. Education was unable to meet this deadline for fiscal year 1997 financial statements, although a timeline had been established by Education at the commencement of the audit. This delay is partly attributable to Education's conversion to a new general ledger system, as part of Education's Central Automated Processing System (EDCAPS), effective October 1, 1997, and to delays in completing Education's reconciliation of fund balance with Treasury and preparation of loan subsidy estimates. However, we also noted weaknesses in Education's financial reporting process that contributed to the delay in timely financial statements for fiscal year 1997. If left uncorrected, these weaknesses in financial reporting could also prevent Education from meeting the GMRA deadline for its fiscal year 1998 financial statements. Significant weaknesses in financial reporting include:
Education does not prepare and analyze interim financial statements. As a result, account analyses and reconciliations are delayed until year end which makes it difficult to complete them in time to meet the GMRA deadline. When year-end statements are prepared, inconsistencies and errors are disclosed since account activity is not routinely monitored during the fiscal year. Thus, significant adjustments as part of a general account "clean-up" at year-end are identified and posted. We found that Education posted 434 entries with a value of $89 billion. Education reports $74 billion in assets on its Statement of Financial Position. Regular financial statement preparation and analysis on a monthly or quarterly basis may eliminate the need for many of these adjustments during the year-end closing process and improve the timeliness of the financial statements since financial reporting activities would not be confined to year end. It would also mitigate the risk that material errors or irregularities in Education's accounts could go undetected until after the end of the fiscal year.
?490?Education lacks sufficient documented policies and procedures for financial reporting. During fiscal year 1997, Education personnel relied on guidance provided orally and through internal electronic mail messages when preparing adjusting entries to the financial statements. When the financial statements were reviewed internally, Education personnel found errors in many of the financial statement adjustments that required additional correcting adjustments. We reviewed 82 of the 434 financial statement adjustments which approximated $88 billion or 98% of the total. Approximately 33 entries or 40% were made to fully or partially reverse other?490 journal entries. Total dollar amount of these entries equaled $15 billion. Education attributes these errors to inexperience or miscommunication between Education personnel. Improved policies and procedures may prevent this in the future. Education should outline financial statement preparation steps, and define lines of responsibility for OCFO employees. Current policies and procedures should be expanded for identifying and posting closing and adjusting entries as well as requesting and approving object class codes, which are used to accumulate transactions into line items to create Education's Statement of Operations and Statement of Cash Flows. For example, Education should have a standard listing of common closing and adjusting entries during the reporting cycle. An additional benefit to expanded and documented procedures would be more fully trained personnel.
Education should maintain evidence of review for all stages of financial reporting, A recurring finding in our testing of the financial reporting process was the lack of evidence of supervisory review. We reviewed 82 financial statement adjustments for which we were unable to obtain evidence of supervisory review prior to posting the entries to the database used to prepare the financial statements. For the entries posted to Education's new general ledger system, 24 out of 41 lacked evidence of supervisory review. The number of errors in adjusting entries that were identified and corrected by Education demonstrates the need for improvements in the level and depth of the review.
We recommend that Education:
Education Needs to Establish Controls Over the Analysis and Reporting of Performance Measures. (reportable condition)
Education has developed a framework for the verification and validation of its performance indicators. However, Education has not defined a process for how it will assemble and analyze the data and how it will prepare the performance reports required by the Government Performance and Results Act (GPRA) of 1993. The basic process needs to be defined and communicated prior to the beginning of fiscal year 1999 (the first year for which program performance reports are required) so that each individual understands the basic process and his or her role in it before the beginning of fiscal year 1999. This is to help ensure that proper mechanisms are in place to measure performance occurring in fiscal year 1999. In addition, because the credibility of the performance report will depend upon the credibility of the use and interpretations of the data, we believe that Education should establish controls over the analysis of data and the reporting of performance information.
We recommend that Education:
Oversight and Analysis of Audits of Postsecondary Educational Institutions Need Improvement. (reportable condition)
The Higher Education Act of 1965, as amended, authorizes Education to provide grants and loans to assist students in obtaining postsecondary education. The largest grant programs are the $6.4 billion Federal Pell Grant Program and the $830 million Federal Work Study Program. Grants are provided to almost 4 million students. The amount of the grant for which the student is eligible is based on his/her family income and the institution's tuition. The principal loan programs are the Federal Family Education Loan (FFEL) Program and the William D. Ford Federal Direct Loan (Direct Loan) Program. As of September 30, 1997, Education reported $101 billion in loan guarantees outstanding under the FFEL Program and $22 billion in outstanding loans under the Direct Loan Program.
The institution guides the student in completing the application for financial assistance and processes the application through Education's central processing facility. The institution is also responsible for confirming income data reported by the students on a sample basis.
Education's control structure to ensure that the institutions apply student financial assistance funds in accordance with the applicable regulations includes the following:
Results of External Audits Need to Be Summarized and Followed-up
Education's principal control for ensuring that student financial assistance funds are being spent for eligible students at allowed amounts is its requirement that all participating institutions have routine financial and compliance audits performed by Independent Public Accountants or State Auditors (auditors). These audits are required by the Single Audit Act for government entities and not-for-profit institutions and by the Higher Education Act for proprietary institutions. Education has issued guidance for the auditors performing these audits, which requires testing of controls and transactions related to the student financial assistance funds received by these institutions. During our audit of Education's processes for overseeing the institutional audits we found that:
Case Management Team Approach Would be Improved if the Utilization of Monitoring Resources Were More Balanced.
Education's Office of Postsecondary Education (OPE) reorganized the monitoring of postsecondary institutions into case management teams which correspond to specific geographic areas, at the beginning of fiscal year 1997. Each team performs similar functions including gatekeeping and on-site reviews of postsecondary institutions in conjunction with Education's regional offices. During our audit of Education's processes for overall monitoring of participating institutions, we noted that:
Education needs to improve its monitoring of schools participating in the Direct Loan Program.
The William D. Ford Loan Program has paid out over $22 billion to students since its inception in 1994 and represents one of the fastest growing programs at Education. During our fiscal year 1997 financial audit, we noted changes made in program operations in the first half of the year that impacted the internal controls. These changes included the hiring of a new contractor to perform loan originations and consolidations for the Direct Loan Program. The transition to the new contractor led to a severe lack of monitoring capabilities on behalf of Education. In particular, Education was unable to receive several critical management information reports for several months. This lack of information impaired management"s ability to adequately monitor the activities within the program and ensure that it was continuing to operate as intended.
One tool used by Education to monitor schools participating in the Direct Loan Program is program reviews. Education's Program Review Guide is used by Education personnel who perform program reviews. However, this guide does not require the reviewer to validate Education's records of direct loan receivables. The guide does not include procedures that direct the reviewer to determine if loan information at the schools is consistent with the information maintained in Education's systems. Since the inception of the Direct Loan Program in 1994, Education has performed only 23 program reviews at participating schools. Therefore, Education must rely on information in audit reports prepared by the school's Independent Public Accountants (IPA). Similarly, Education does not have a mechanism in place that would allow an IPA to validate Education's direct loan receivables while performing a school's audit.
We recommend that Education:
Improvements are Required in Security Over Financial Systems and in Disaster Recovery Capabilities. (reportable condition)
In performing our audit, we reviewed system security and disaster recovery planning for Education's key financial systems in operation during fiscal year 1997. Education's Primary Accounting System (PAS) was the general accounting system for Education. Another key financial system was the Payment Management System (PMS), which was used to process approximately $33 billion in grant and contract disbursements annually. Funds were disbursed through PMS to government and private institutions. PAS, PMS, and other mainframe-based systems were replaced in fiscal year 1998 with the core financial management system (EDCAPS).
During our review, we identified system security problems within the PMS system. The NIH mainframe that housed PMS ran the Resource Access Control Facility (RACF), a global system-wide security package that provides many features to limit access, such as password controls, transaction controls, and logging/reporting functionality. However, since PMS was not defined to RACF, it could not take advantage of these security features. If properly implemented, the RACF security software would have reduced the risk of unauthorized access to PMS and provided increased assurance as to the integrity of Education's disbursement data. However, Education decided not to have PMS defined to RACF and instead focused on planned controls in EDCAPS.
Because the security package was not implemented for PMS, Education relied solely upon application level security built into the PMS system. The application level security did not provide a sufficient level of security for PMS, particularly given this system's role in controlling disbursements of over $33 billion annually. The deficiencies in PMS security could have enabled unauthorized users to access confidential data, change data, make unauthorized payments, or bring down the system. Details as to specific security vulnerabilities that existed in PMS have been discussed with Education's management.
We also identified deficiencies in disaster recovery and operational continuity capabilities for both PAS and PMS. Although a high level framework for disaster recovery existed, a formal, detailed plan had not been established, approved and tested. The absence of a formal, tested recovery plan means that Education may not have been able to recover critical systems and data and resume processing in the event of a disaster at one of its principal data centers.
Education took some steps to address this concern raised during our audit. For instance, backup files for PMS were successfully restored at an off-site processing location. Nonetheless, Education decided to spend minimal resources on PAS and PMS and instead dedicate efforts on the new EDCAPS system then in development.
Contractor assistance was secured to develop and document a global disaster recovery strategy and individual contingency plans are to be prepared for upcoming critical financial applications. These contingency plans must not only address how to recover from the occurrence of a disaster, but also how to continue to support critical functions during the recovery stage.
We recommend that Education:
- Business Impact Analysis for each customer/division/resource to determine the critical system and processes.
- Identification of critical applications and their recovery and telecommunication requirements.
- Cost-effective (commensurate with business risks) recovery strategies to address short and long-term interruptions,
- A detailed business recovery strategy addressing personnel, recovery resources, and recovery actions. Specifically, this task covers the identification of individuals responsible for managing and performing the recovery process, definition and assignment of team members' responsibilities, identification of key technical and non-technical resources, and development of detailed restoration procedures.
[Auditor's Opinion on Consolidated Financial Statements] [Auditor's Report on Compliance with Laws and Regulations]