oversight

Case Management and Oversight's Audit Tracking and Resolution Process.

Published by the Department of Education, Office of Inspector General on 2000-09-29.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                Audit of Case Management and Oversight’s
                 Audit Tracking and Resolution Process



                                    FINAL AUDIT REPORT




                          Audit Control Number ED-OIG/A03-90003
                                      September 2000




Our mission is to promote the efficient                 U.S. Department of Education
and effective use of taxpayer dollars                   Office of Inspector General
in support of American education.                       Philadelphia, PA
                                 NOTICE
Statements that management practices need improvements, as well as other
conclusions and recommendations in this report represent the opinions of the
Office of Inspector General. Determination of corrective action to be taken will be
made by the appropriate Department of Education officials.

In accordance with Freedom of Information Act (5 U.S.C. §522), reports issued by
the Office of Inspector General are available, if requested, to members of the press
and general public to the extent information contained therein is not subject to
exemptions in the Act.
Audit of CMO’s Audit Tracking and Resolution Process           ED-OIG/A03-90003



                          TABLE OF CONTENTS
                                                                           Page

EXECUTIVE SUMMARY……………………………………………………………….1

AUDIT RESULTS….………………………………...………………………….……..…3

        FINDING NO. 1 – Oversight of Compliance and Financial Statement
                        Audit Report Submission Requirements Needs
                        Improvement…………………………………………………3

        FINDING NO. 2 – Compliance Audit Reports Were Not Processed In
                        Accordance with CMO’s Established Procedures………..….….7

        FINDING NO. 3 – Compliance Audit Reports Were Not Issued Timely
                        by the Contractor………………………….………………….9

        FINDING NO. 4 – Missing Data and Data Errors in Computer Based
                        Systems………………………………………………...……11

OTHER MATTERS……………………….…………………………………..…………12

BACKGROUND....………………………………………………………………….…..13

AUDIT SCOPE AND METHODOLOGY……….……………………………...……....13

STATEMENT ON MANAGEMENT CONTROLS…………….…………………...….14

APPENDIX – AUDITEE’S COMMENTS...…..…………………...…………………...15
Audit of CMO’s Audit Tracking and Resolution Process                            ED-OIG/A03-90003




                              EXECUTIVE SUMMARY


We reviewed Case Management and Oversight’s (CMO) processes for ensuring that:
1) all required annual financial statement and compliance audit reports are submitted
when due; 2) findings are coded correctly; 3) reports are issued by the Document
Receipt and Control Center (DRCC) contractor in a timely manner, and, if necessary,
4) reports are resolved in a timely manner.1

We determined that CMO does not ensure all required Student Financial Assistance
(SFA) compliance audit reports, Single Audit reports, and third-party servicer audit
reports are submitted when due. We also found that CMO does not ensure that: 1) all
compliance audit report findings are coded correctly; and 2) the contractor for the
DRCC issues all compliance audit reports in a timely manner. We concluded that
CMO has an effective system in place to ensure the timely submission of financial
audits of proprietary institutions, and that CMO generally resolves compliance audit
reports in accordance with the Office of Management and Budget (OMB) Circular A-
50 requirement for timely resolution.

In order to manage and track the resolution of audit findings, the findings are assigned
numeric deficiency codes. We reviewed 50 compliance reports to determine the
correctness of the deficiency codes assigned. We found that for 17 of the 50 reports,
there was at least one finding for which an improper deficiency code was assigned.
Also, for 10 of the 50 reports, there was at least one finding for which a deficiency
code was not assigned. Ten of the 50 reports were submitted late, but were not coded
accordingly. The effect of improper coding is that matters that should be identified for
resolution are not.

The contractor that operates the DRCC did not always meet its contractual
responsibility to issue reports within 30 days of their receipt date. Of 3,139 issued
reports that we analyzed for timeliness of processing, 1,433 (46 percent) were issued
untimely with an average of 79 days. Significant findings (requiring resolution action)
were included in 706 of the issued reports, and 321 (45 percent) of these were not
issued on a timely basis. The longer the delay in issuing "deficient" compliance audit
reports (those with significant findings), the more difficult it is for CMO to resolve
these reports in accordance with the OMB requirement of 180 days for timely
resolution of audit findings.

There were some data omissions and data errors that we noted in the two computer
systems used in the process for receiving, logging, screening, issuing, and resolving
audit reports.

1 Case Management and Oversight is a division within the Student Financial Assistance Schools
Channel.


                                                 1
Audit of CMO’s Audit Tracking and Resolution Process                  ED-OIG/A03-90003




We noted significant improvement in the timeliness of audit resolution by CMO from
conditions that we reported in our SFA Action Memorandum No. 97-6, issued in
August 1997. Of the 745 reports we were able to review for timely resolution, 290
had been closed, and 253 (87 percent) of these were timely resolved. Of the 455
reports still in process, only 54 (12 percent) had been on hand for more than 180 days.
In the SFA Action Memorandum, we reported that 92 percent of reports were not
timely resolved for Award Year 1995, and 57 percent were not timely resolved for
Award Year 1996.

We recommend the Chief Operating Officer (COO) for Student Financial Assistance:
• improve the oversight of audit report submissions;
• ensure that reports are processed properly;
• achieve timely issuance of reports by the DRCC contractor; and
• take corrective action to ensure that required data elements are completely and
  correctly recorded in PEPS and Lotus Notes.

SFA concurred with all of our recommendations and noted that it has either already
implemented or will be implementing actions to address the issues raised in the audit’s
findings. We summarized SFA’s response after each finding and a copy of the
complete response is contained in the Appendix.




                                              2
Audit of CMO’s Audit Tracking and Resolution Process                 ED-OIG/A03-90003




                                  AUDIT RESULTS



Case Management and Oversight (CMO) administers a process for receiving, logging,
screening, issuing and resolving audit reports required to be submitted by all
institutions that participate in the Student Financial Assistance (SFA) programs. To
perform these functions, CMO has established a Document Receipt and Control
Center (DRCC) operated by a contractor. CMO uses two principal systems for
performing these responsibilities: the Postsecondary Education Participant System
(PEPS), and Lotus Notes.

We reviewed CMO’s processes for ensuring that: 1) all required annual financial
statement and compliance audit reports are submitted when due; 2) findings are coded
correctly; 3) reports are issued in a timely manner, and, if necessary, 4) reports are
resolved in a timely manner. In August 1997, we issued SFA Action Memorandum
No. 97-6 reporting problems with the tracking of audit report submissions and timely
issuance and resolution of reports. While CMO has taken some actions to correct the
problems in the audit tracking and resolution process, there are several areas where
processes need to be improved.

Finding No. 1       Oversight of Compliance and Financial Statement Audit Report
                    Submission Requirements Needs Improvement

CMO does not have adequate processes in place to identify and take timely action
against institutions that fail to submit annual compliance audit reports and audited
financial statements. Consequently, there is no assurance that these institutions: 1)
meet annual compliance audit and financial statement report submission requirements;
2) initiate prompt corrective action on audit recommendations; and 3) are financially
responsible.

An institution participating in any SFA program is required by the Single Audit Act
(for public and private non-profit institutions that expend $300,000 or more in a year
in Federal awards) and by the Higher Education Act (for proprietary institutions) to
annually have an independent auditor conduct a compliance audit of its administration
of those SFA programs in which it participates, and an audit of its general purpose
financial statements. Depending on the type of institution and audit, reports are due
six, nine or thirteen months after an institution’s fiscal year ends.

As provided by the Higher Education Act (HEA) a third-party servicer that
administers any aspect of an institution’s participation in SFA programs must have
annual compliance and financial statement audits performed by an independent
auditor, and must submit these audits annually to the Secretary.



                                              3
Audit of CMO’s Audit Tracking and Resolution Process                   ED-OIG/A03-90003


CMO should ensure that all institutions submit their required annual compliance
audit reports in a timely manner.

CMO does not have a system in place to ensure that all institutions participating in the
SFA programs submit their required annual compliance audit reports in a timely
manner. Efforts by CMO to notify institutions that had not submitted compliance
audit reports for award year 1996 did not begin until July 1998, over a year after most
of the reports were due. In July 1998, CMO identified and mailed delinquency letters
to 213 institutions that did not submit 269 required SFA compliance audit reports
covering award years 1994 through 1996. Also, in December 1998, CMO identified
and mailed delinquency letters to 614 institutions that did not submit 839 required
Single Audit compliance reports covering award years 1994 through 1996. At the
time of our review, no effort was underway to determine compliance audit reports that
were past due for award year 1997, although most Single Audit reports were due by
July 31, 1998, and most SFA compliance reports were due by either December 31,
1997, or June 30, 1998.

CMO is not monitoring institutions participating in the SFA programs to ensure they
submit required annual compliance reports on a timely basis. Therefore, they cannot
assure that prompt corrective actions are taken on audit findings, which in some cases
require unallowable expenditures be repaid to the Department.

During our review CMO personnel informed us that a process was in development
using PEPS and Lotus Notes software to generate letters requesting institutions’ SFA
compliance audit reports on a real-time basis.

CMO should ensure that all public and private non-profit institutions submit
annual audited financial statements.

CMO does not have a system in place to ensure that public and private non-profit
institutions that participate in the SFA programs submit their required annual audited
financial statements. CMO provided us with a listing, as of February 25, 1999, which
indicated that there were 731 institutions (approximately 19 percent of the total
universe of eligible single audit filers) which had not submitted audited financial
statements that were due during the period October 1, 1997 through September 30,
1998.

CMO does have a system in place for the real-time identification of annual audited
financial statements due from proprietary institutions that participate in the SFA
programs. Proprietary institutions are sent a reminder notice to submit their financial
statements 60 days prior to the financial statement due date. If proprietary institutions
fail to submit audited financial statements, CMO will send them a delinquency letter
30 days after the financial statement due date. In addition, each month institutions that
fail to submit their financial statements within ten days of the date of a delinquency
letter are referred to CMO’s Administrative Action and Appeals Division for




                                              4
Audit of CMO’s Audit Tracking and Resolution Process                   ED-OIG/A03-90003


appropriate administrative action. Our review revealed that during the period October
1, 1997 through September 30, 1998, CMO generally complied with these procedures.
Since CMO does not identify late or missing annual financial statement audits of
public and private non-profit institutions participating in the SFA programs, there is no
assurance that the financial statement audits of all these institutions are being
performed. As a result, institutions that are not financially responsible may continue
to participate in SFA programs and SFA funds may be at risk (e.g., lack of resources to
meet program and financial obligations).

CMO should establish an audit resolution system for third party servicer reports.

CMO needs to establish and implement procedures for receiving, logging, screening,
issuing and resolving third-party servicer audit reports. CMO has not performed any
audit resolution on its inventory of 122 third-party servicer audit reports covering
fiscal years 1994 through 1998.

OMB Circular A-50, “Audit Followup,” requires Federal departments and agencies to
document and have in place a system of audit resolution. CMO is not monitoring
third-party servicers’ compliance with audit requirements. Consequently, there is no
assurance that third-party servicers:

        •   meet the annual compliance audit and audited financial statement report
            submission requirements;
        •   initiate prompt corrective actions on audit findings; and
        •   are financially responsible.

Recommendations:

We recommend that the COO for SFA:

1.1 Establish a system to track the receipt of SFA compliance audit reports and Single
    Audits on a real-time basis, and initiate appropriate action to ensure these reports
    are received when due.

1.2 Establish a system to track, process, and resolve third-party servicer audit
    reports, assigning priority to resolving those third-party servicer audit
    reports with the most serious deficiencies.

SFA’s Reply:

SFA concurred with both recommendations. SFA acknowledged that prior to
our audit CMO did not have a system in place to track the receipt of SFA
compliance audit reports in real-time, but noted that this has changed. CMO
also generates a monthly combined notification to remind proprietary schools
that their compliance reports and financial statements will be due in 60 days.




                                              5
Audit of CMO’s Audit Tracking and Resolution Process                  ED-OIG/A03-90003


With respect to Single Audits, SFA stated that in order to meet its oversight
responsibility it will work with the Office of the Chief Financial Officer (OCFO) and
the Census Bureau’s Federal Audit Clearinghouse to identify and notify Single Audit
Act institutions that have failed to submit their Single Audits of their obligations.

SFA also stated that by September 2000 it will initiate a study for the development
and implementation of an electronic audit and financial statement process that will
enable CMO to track the receipt of all audits, proprietary and Single Audit, in real-
time.

Regarding third-party servicer audits, SFA stated that CMO’s Data Management and
Analysis Division (DMAD) “determined that resolving servicer audits is a redundant
process as independent auditors performing institutional audits are required to review
servicer audits as part of their overall review of institutional compliance.” SFA also
stated that it had previously requested the OIG to review the cost benefit of the
servicer audit submission requirements.

OIG’s Response:

SFA’s statements that it has established a system to track the receipt of
compliance audit reports on real-time basis, and a process to generate a
monthly notifications to remind proprietary schools that their compliance
reports and financial statements will be due in 60 days, should improve the
audit tracking process. However, SFA’s planned actions do not ensure that it
will establish a system to track the receipt of Single Audits on a real-time
basis. Each fiscal year CMO plans to wait until all Single Audits are past due
before attempting to identify institutions that have not submitted reports.

Resolving third-party servicer audits would not be duplicative of ongoing activities.
CMO personnel informed us that servicer audit findings included in institutional audit
reports are not being resolved. Also, an independent auditor’s review of a servicer
audit for the limited purposes of completing an institution’s compliance audit would
not resolve all possible issues that might arise from the audit of the servicer,
particularly systemic issues.

We acknowledge that in response to the OIG’s 1999 request for workplan suggestions,
SFA requested a cost benefit analysis of servicer audits. However, until SFA begins to
track and resolve servicer audits, sufficient data is not available to conduct a
meaningful analysis.




                                              6
Audit of CMO’s Audit Tracking and Resolution Process                   ED-OIG/A03-90003


Finding No. 2       Compliance Audit Reports Were Not Processed In Accordance
                    with CMO’s Established Procedures

The DRCC did not always properly code compliance audit report findings. As a
result, matters that should have been identified for resolution were not.

CMO’s processes for: (1) determining if a compliance report contains findings and or
other deficiencies not identified as such by the auditor (i.e., the audit report is
submitted late); (2) coding the findings and or deficiencies in order to track their
proper resolution; and (3) determining whether the report warrants full resolution by a
Case Team, are set forth in its Procedures Memorandum 97-19, “Procedures for
Classifying and Issuing ‘Deficient’ and ‘Non-deficient’ Audit Reports.”

The DRCC is required to classify each finding in an acceptable audit, using 4-digit
deficiency codes established by CMO. Each deficiency code has been assigned a
designation that denotes whether the finding is considered “significant” or “minor.”
The DRCC is also charged with entering these codes into PEPS. Reports are classified
as either "deficient" (i.e., contain findings requiring resolution action) or "non-
deficient" (i.e., do not require resolution action).

Based on the coding of findings, PEPS designates whether the audit report is a
“deficient” (Deficiency Indicator 1) or “non-deficient” (Deficiency Indicator 0 or 2)
report. Deficiency indicator “0” reports have no findings, while deficiency indicator
“2” reports have findings that do not require resolution by a Case Team. Deficiency
indicator “1” reports have questioned costs of at least $10,000 or more; or an error rate
of 10% or greater on a significant finding; or a significant finding that automatically
requires resolution by a Case Team.

The procedures also state that: “Deficient audits are resolved by the Case Team
through the issuance of a Final Audit Determination. Non-deficient audits with
findings (Indicator 2) are resolved by incorporating into the issuance letter standard
language instructing the school to correct the deficiencies cited, and document the
corrective action.”

Compliance audit report findings were not assigned appropriate deficiency codes.

CMO provided us with a file, which listed every compliance audit report received
during fiscal year 1998. The universe included 4,628 compliance audit reports.

We randomly selected 50 compliance audit reports for review. The 50 compliance
audit reports included:
• 10 deficiency indicator 0 reports;
• 10 deficiency indicator 1 reports; and
• 30 deficiency indicator 2 reports.




                                              7
Audit of CMO’s Audit Tracking and Resolution Process                   ED-OIG/A03-90003


Ten of the 50 compliance reports processed by the DRCC contained at least one
finding for which the DRCC failed to assign a deficiency code. Also, 17 of the 50
reports contained at least one finding in which the code assigned for the finding did
not relate to the instance of non-compliance as presented in the audit report.

As a result of the non-coding and mis-coding of findings, 4 reports that were processed
as deficiency indicator “2” reports should have been processed as deficiency indicator
“1” reports and undergone full resolution by the Case Team through the issuance of a
Final Audit Determination letter. We also noted one deficiency indicator “0” report
and one deficiency indicator “1” report that should have been processed as deficiency
indicator “2” reports.

The coding errors appear to be the result of the DRCC contracted employees’ lack of
familiarity with SFA programs, and attempts to code findings using a deficiency code
listing that does not reflect all the finding possibilities. The non-coding of findings
appears to be the result of errors on the part of the DRCC staff.

Delinquent compliance audit reports were not coded for lateness.

Our review disclosed that 10 of the 50 compliance audit reports (6 SFA Audit Reports
and 4 Single Audit Reports) were not submitted in a timely manner. SFA Audit
Reports are due six months after an institution’s fiscal year end. Single Audit Reports
are due thirteen months after an institution’s fiscal year end for fiscal years beginning
on or before June 30, 1998, and nine months after an institution’s fiscal year end for
fiscal years beginning on or after July 1, 1998.

Although the 10 reports did not meet the applicable timely filing requirements, DRCC
staff did not identify these reports as delinquent with a 4-digit deficiency code in
PEPS as required by CMO procedures. CMO’s Procedures Memorandum 97-18,
“Procedures for Receiving and Determining the Acceptability of a Student Financial
Assistance Report,” instructs the DRCC staff to, based on the audit period end date
and current date, determine whether the audit is on time or late. The memorandum
also states, “The DRCC staff also identify and classify findings not identified as such
by the auditor but observable in the report (e.g. the audit is submitted late).”

We found that 2 of the 10 reports were processed as deficiency indicator “0” reports;
however, they should have been processed as deficiency indicator “2” reports since
submitting a delinquent audit report is considered a significant finding per CMO
Procedures Memorandum 97-19.

Recommendations:

We recommend that the COO for SFA:

2.1 Ensure that the deficiency code listing is updated to include all finding
    possibilities.



                                              8
Audit of CMO’s Audit Tracking and Resolution Process                     ED-OIG/A03-90003




2.2 Ensure that the DRCC properly codes each finding as well as findings not
    identified as such by the auditor but observable in the report (e.g. the audit is
    submitted late).

SFA’s Reply:

SFA concurred with these recommendations.

Finding No. 3       Compliance Audit Reports Were Not Issued Timely by the
                    Contractor

The contractor that operates the DRCC did not always meet its contractual
responsibility to issue compliance audit reports within 30 days of their receipt date.

CMO established the DRCC to solicit, receive, track, screen and file compliance
audits, financial statement audits, and recertification applications. To perform these
functions, CMO obtained the services of a contractor. For SFA audits and Single
Audits, the Statement of Work for the DRCC Contract states that: “The contractor shall
issue all compliance audit reports within 30 days of receipt.” For SFA audits, issuance
of the compliance audit report includes “screening for completeness and acceptability,
coding the findings and questioned costs….” For Single Audits, issuance “includes
coding the findings and questioned costs….” The issue date for these reports is the
date of the correspondence sent from CMO to the SFA and Single Audit filers
acknowledging the receipt of an acceptable audit report.

CMO received 4,628 compliance audit reports during fiscal year 1998. We were
unable to analyze whether 1,456 of these reports were issued timely because the
DRCC: 1) failed to record the receipt date for 810 of the reports; 2) rejected 634 of the
reports due to problems with the report; and 3) recorded improper receipt and or issue
dates for 23 reports (11 were also rejected reports). Of the 3,172 reports we were able
to analyze, 3,139 were issued and 33 were not as of November 27, 1998. Of the issued
reports, 1,433 (46 percent) were not issued within 30 days of their receipt at the
DRCC, with an average of 79 days to issue. Further, 32 of the 33 unissued reports had
been in receipt at the DRCC for over 30 days as of November 27, 1998.




                                              9
Audit of CMO’s Audit Tracking and Resolution Process                                       ED-OIG/A03-90003


                                         Analysis of Issued SFA Audit Reports

                                                                                                       Average Number of
                                                     Number of Reports       Number of Reports Not    Days for Reports Not
                            Number of Reports      Issued Within 30 Days     Issued Within 30 Days   Issued Within 30 Days
   Deficiency Indicator        Analyzed

 Code 0 (No Findings)              978                      509                      469                      76

 Code 1 (Significant               613                      319                      294                      77
 Findings)

 Code 2 (Minor Findings)           740                      320                      420                      89


                                         Analysis of Issued Single Audit Reports


                                                                                                       Average Number of
                                                     Number of Reports       Number of Reports Not    Days for Reports Not
                            Number of Reports      Issued Within 30 Days     Issued Within 30 Days   Issued Within 30 Days
   Deficiency Indicator        Analyzed

 Code 0 (No Findings)              542                      412                      130                      66

 Code 1 (Significant               93                       66                        27                     113
 Findings)

 Code 2 (Minor Findings)           173                      80                        93                      64


While it is required that all compliance audit reports be issued within 30 days of
receipt, it is of critical importance that those reports with significant findings
(deficiency indicator code 1) be issued in a timely manner. The longer the delay in
issuing “deficient” compliance audit reports the more difficult it is for CMO to resolve
these reports within a maximum of six months after their receipt, as required by OMB
Circular A-50.


                                 Days to Issue Deficient Reports
                                    62
                              27
                                                                           1 - 30 Days (385)
                           40
                                                                           31 - 60 Days (192)
                                                                           61 - 90 Days (40)
                                                      385
                                                                           91 - 120 Days (27)
                           192
                                                                           Over 120 Days (62)




Recommendation:

3.1       We recommend that the COO for SFA ensure that all compliance audit reports
          be issued within 30 days of receipt.



                                                     10
Audit of CMO’s Audit Tracking and Resolution Process                   ED-OIG/A03-90003


SFA’s Reply:

SFA concurred with this recommendation.

Finding No. 4       Missing Data and Data Errors in Computer Based Systems

CMO’s two principal systems for receiving, logging, screening, issuing and resolving
audit reports are PEPS and Lotus Notes. During our review, we noted missing data
and data errors in these computer based systems.

Compliance audit reports placed on hold appeared as rejected reports in PEPS.

From our review of a sample of 50 compliance audit reports, we identified that for 10
of these reports, rejection dates were recorded in the PEPS system. For nine of these
reports, we were unable to locate copies of the rejection correspondence in CMO’s
compliance audit report folders. CMO personnel explained that these nine reports
were never actually rejected; rather, they were entered into the Audit Report screen in
PEPS as “on-hold.” CMO staff stated that: 1) due to a deficiency in the PEPS system,
rejection dates and correspondence are created when an on-hold date is entered in the
PEPS Audit Report screen; and 2) these reports had been issued before CMO became
aware of this problem. At the time of our review, in order to prevent rejection dates
and correspondence from being created by PEPS for on-hold reports, CMO staff had
to perform a manual override that required entering the PEPS Correspondence screen
and changing the correspondence type code.


Institutions’ fiscal year end dates were not recorded in CMO’s Lotus Notes
database.

CMO provided us with a listing of 312 Single Audit institutions and 52 SFA
institutions for which it does not have fiscal year end dates recorded in its Lotus Notes
database. The Lotus Notes database is used to track SFA institutions’ annual financial
statement audit report submissions on a real-time basis.

At the time of our review, CMO was unable to track the receipt of financial statement
audit reports from the 364 institutions on a real-time basis.

Recommendations:

We recommend that the COO for SFA:

4.1 Initiate appropriate action to ensure that when an on-hold date is entered into the
    PEPS Audit Report screen, the system automatically generates the appropriate
    dates and correspondence.

4.2 Determine the fiscal year end dates for each of the 364 institutions missing that
    data and input those dates into the Lotus Notes database.


                                              11
Audit of CMO’s Audit Tracking and Resolution Process                  ED-OIG/A03-90003




SFA’s Reply:

SFA concurred with these recommendations.




                                 OTHER MATTERS


Audit Reports Are Being Resolved More Timely

When a compliance audit report identifies findings that need to be resolved, CMO
follows up with the institutions to work out a course of corrective action. OMB
Circular A-50 requires that these findings be resolved within six months of report
receipt.

We noted significant improvement in the timeliness of audit resolution by CMO.
Previously, we reported, in SFA Action Memorandum No. 97-6, that CMO seldom
resolved compliance audit reports within 180 days of receipt as required by OMB
Circular A-50. Our review of 290 “deficient” reports closed during fiscal year 1998
revealed that 253 (87 percent) of these were resolved in a timely manner. Further, of
455 “deficient” reports still in process as of November 27, 1998, only 54 (12 percent)
had been on hand for more than 180 days.

The “DRCC Referral to the Administrative Action and Appeals Division
(AAAD)” report was not supported by source records.

We randomly selected 20 institutions from the January 1999 Report “DRCC Referral
to AAAD” to determine if the data recorded on the Referral Report was supported by
source records. The Referral Report data reviewed included the status of 80 financial
statement reports (four financial statement reports, covering fiscal years 1995 through
1998, for each of the 20 institutions selected). CMO was unable to locate its financial
statement folders for 2 of the 20 institutions originally chosen for review and 2
replacement selections were made. Of the 80 financial statement reports included in
our review, 57 were coded as either Complete or Incomplete, and 23 were coded as
Not Received on the Referral Report. Of the 57 reports coded as either Complete or
Incomplete we were unable to verify whether 6 were coded properly, as we could not
locate them in the institutional financial statement report folders provided by CMO.




                                              12
Audit of CMO’s Audit Tracking and Resolution Process                    ED-OIG/A03-90003



BACKGROUND
The Higher Education Act Amendments of 1998 established a performance based
organization (PBO) for managing the operational functions of the Title IV Student
Financial Assistance programs. The Office of Student Financial Assistance was
designated as the PBO. This office was reorganized in the fall of 1999 and renamed
Student Financial Assistance (SFA). Within SFA, the operational procedures of the
Institutional Participation and Oversight Service (IPOS) did not change, however, it
was renamed Case Management and Oversight (CMO), a division within the SFA
Schools Channel.

At the time of our review, CMO was one of six services within SFA that was
responsible for administering the Title IV SFA programs. CMO is responsible for
determining whether institutions meet statutory eligibility and certification
requirements for participation in these programs. CMO also develops and
implements: 1) policies and procedures for monitoring institutions participating in the
SFA programs to ensure compliance with Federal legislation, regulations and policies;
2) alternative oversight programs such as the Quality Assurance Program; 3) activities
related to resolving issues that arise when schools close, declare bankruptcy, or are
otherwise in financial or administrative jeopardy; and 4) activities of the Secretary’s
default reduction initiative.

A CMO report titled “Universe of Eligible and Certified Postsecondary Institutions”
stated that as of September 30, 1998 there was a universe of 5,832 institutions eligible
and certified to participate in the SFA programs. Institutions participating in the SFA
programs are required by the Single Audit Act (for public and private non-profit
institutions that expend $300,000 or more in a year in Federal awards) and by the
Higher Education Act (for proprietary institutions) to have annual compliance and
financial audits performed by independent public accountants or state auditors. Also,
as provided by the Higher Education Act, a third-party servicer that administers any
aspect of an institution’s participation in SFA programs must have annual compliance
and financial audits performed by an independent auditor. CMO is responsible for
receiving, tracking, screening, issuing and resolving these reports. To perform these
functions, CMO established a Document Receipt and Control Center (DRCC) operated
by a contractor.

AUDIT SCOPE AND METHODOLOGY
The objectives of our audit were to determine whether CMO has established and
implemented procedures which provide reasonable assurance that: 1) all required
annual financial statement and compliance audit reports are submitted when due, 2)
findings are coded correctly, 3) reports are issued and, if necessary, 4) resolved in a
timely manner.

To accomplish our objectives we analyzed the file, provided by CMO, which
contained the universe of 4,628 compliance audit reports received during fiscal year


                                              13
Audit of CMO’s Audit Tracking and Resolution Process                    ED-OIG/A03-90003


1998. We reviewed 50 randomly selected compliance audit report files. In addition,
we reviewed CMO’s Postsecondary Education Participant System (PEPS) information
for the selected 50 institutions. We analyzed the listing provided by CMO of all
Single Audit and SFA financial statement reports that were due, but not received,
during fiscal year 1998. We examined the financial statement report folders for 20
institutions that we randomly selected from the universe of 607 institutions included
on the January 1999 DRCC Referral to the AAAD Report. In addition, we reviewed
CMO’s Lotus Notes information for the selected 20 institutions. We reviewed CMO’s
procedures for tracking, processing, and resolving compliance audit and financial
statement reports. We also interviewed CMO personnel to obtain an understanding of
these procedures. We reviewed the Report on Internal Controls for Student Financial
Assistance Programs from the U.S. Department of Education’s 1997 Financial
Statement Report. We also reviewed the 1998 Federal Managers’ Financial Integrity
Act Report.

We relied in part on computer-processed data contained in CMO’s Lotus Notes
database and PEPS. We performed limited tests of the output of computer processes
to verify reliability. Based on the results of the tests described, we concluded that the
computerized data was sufficiently reliable to formulate conclusions associated with
the objectives described above.

We conducted our on-site fieldwork at CMO’s headquarters in Washington, DC. Our
fieldwork was conducted from November 17, 1998 through August 6, 1999.
Subsequent to the completion of our fieldwork, additional analyses were performed
from October 1999 through December 1999. Our audit was performed in accordance
with government auditing standards appropriate to the scope of the audit described
above.

STATEMENT ON MANAGEMENT CONTROLS
As part of our audit, we made an assessment of CMO’s management controls, policies,
procedures, and practices applicable to the scope of the audit. Our assessment was
performed to determine the level of control risk for determining the nature, extent, and
timing of our substantive tests to accomplish the audit objective.

For the purpose of this report, we assessed and classified the significant controls into
the following categories:

        •   Procedures for Receiving Required Annual Compliance Audit and
            Financial Statement Reports
        •   Procedures for Classifying and Issuing Compliance Audit Reports

Because of inherent limitations, a study and evaluation made for the limited purpose
described above would not necessarily disclose all material weaknesses in the control
structure. However our assessment disclosed management control weaknesses. These
weaknesses are fully described in the Audit Results section of this report.


                                              14
Audit of CMO’s Audit Tracking and Resolution Process   ED-OIG/A03-90003



APPENDIX –AUDITEE’S COMMENTS




                                              15
Audit of CMO’s Audit Tracking and Resolution Process   ED-OIG/A03-90003




                                              16
Audit of CMO’s Audit Tracking and Resolution Process   ED-OIG/A03-90003




                                              17
Audit of CMO’s Audit Tracking and Resolution Process   ED-OIG/A03-90003




                                              18
Audit of CMO’s Audit Tracking and Resolution Process   ED-OIG/A03-90003




                                              19
Audit of CMO’s Audit Tracking and Resolution Process   ED-OIG/A03-90003




                                              20
                             Report Distribution List
                     Audit Control Number ED-OIG/A03-90003

                                                                                No. of
                                                                                Copies

Auditee/Action Official
Mr. Greg Woods                                                                       4
Chief Operating Officer
Student Financial Assistance
7th and D Streets
Regional Office Building 3, Room 4004
Washington, DC 20202

Other ED Offices
Director, Office of Public Affairs                                                   1
Deputy Secretary, Office of the Deputy Secretary                                     1
Under Secretary, Office of the Under Secretary                                       1
Audit Liaison, Student Financial Assistance                                          1
Director, Case Management and Oversight                                              1
Supervisor, Post Audit Group, Office of the Chief Financial Officer                  1
General Counsel, Office of the General Counsel                                       1

Office of Inspector General                                           (Electronic Copy)
Inspector General                                                                     1
Deputy Inspector General                                                              1
Counsel to the Inspector General                                                      1
Assistant Inspector General for Investigation Services                                1
Assistant Inspector General for Audit Services                                        1
Deputy Assistant Inspector General for Audit Services                                 1
Director Student Financial Advisory and Assistance Team                               1
Regional Offices                                                                 1 each