Nonprofit Resources


Business Risks from the Student Financial Aid Office

Gone are the days of siloing responsibilities and each office working independently. While segregation of duties and internal controls remain vital to a higher education institution’s health, they are insufficient on their own. A failure to thoughtfully consider the related impacts between functional areas or departments creates business risks that may stilt your institution’s ability to serve your students and accomplish your mission and vision. 

Below are two current business risks arising from the student financial aid office that are vying for and deserving attention.

The Graham Leach Bliley Act (GLBA) 

The purpose of the GLBA is to protect individuals’ personal information, including Social Security numbers. Students who complete a FAFSA to file for federal aid must provide their name, Social Security number, date of birth, address, email address, phone number, and recent tax information. Students who are dependents must provide this information for their parents as well. The existence of all this personally identifiable information in one place makes institutions increasingly attractive targets for hackers and other fraudsters attempting identity theft. 

The president of the institution already signs the United States Department of Education Financial Student Aid (USDE FSA) Program Participation Agreement (PPA), which includes a statement that the institution is in compliance with GLBA.

The compliance supplement issued July 1, 2019 for fiscal year ends of June 30, 2019 and beyond includes required audit procedures related to GLBA. Deficiencies identified in the audit procedures would be evaluated under the administrative capability criteria, and any reportable findings will be publicly available. This includes the full context of the finding as changes in the data collection form are effective as well.

GLBA has six key provisions for higher education institutions to address: 

  • Developing, implementing, and maintaining a written information security program
  • Designating the employee(s) responsible for coordinating the information
  • Identifying and assessing risk to customer information
  • Designing and implementing information safeguards, and regularly testing and monitoring those safeguards
  • Selecting appropriate service providers that are capable of maintaining appropriate safeguards
  • Periodically evaluating and updating the security program

What are the business risks here? 

  • Non-compliance would likely result in an administrative capability finding (i.e., unable to properly administer Title IV funds) and require a corrective action plan from the institution. Repeat findings with the Department of Education can lead to termination of the institution’s participation in Title IV funding. 
  • Students and parents want to know their information is being stored securely, or enrollment may decrease.
  • Breaches, including breaches through third-party vendors, pose a reputational risk to the institution.
Changes in the Department of Education Financial Viability Ratios 

The financial viability ratio changes were proposed in February 2018 and are expected to be finalized before June 30, 2019. This timing is intentional, to align with the latest effective date for adoption of FASB ASU 2016-14, Presentation of Financial Statements of Not-for-Profit Entities, for most institutions. 

Key changes include:

  • Treatment of underwater endowment funds resulting from investment losses moving from “unrestricted” to “with donor restrictions,” which will impact the net income ratio.
  • Clarifications in post-retirement benefits and defined benefits, which affect expendable net assets in the primary reserve ratio.
  • Clarifications of limiting property and equipment to not be less than 0 net of related debt, which also affects the expendable net assets in the primary reserve ratio.

The adjustments include a proposal for a six-year transition period related to the impact of the new FASB Accounting Standards Update 2016-02, Leases. The proposal also suggests that the audit report include a supplemental schedule referencing audited numbers to the amounts used in the calculation of the financial viability score. 

What are the business risks here? 

  • An institution that scores less than 1.0 is not considered financially responsible and cannot participate in Title IV funding without obtaining a letter of credit in an amount determined by the Department of Education.
  • An institution that scores between a 1.0 and a 1.4 is considered in “the zone.” There are additional restrictions on when cash can be received from the federal government, which can put significant strain on managing cash flow.
Mitigating the Risk

What are some practical steps to mitigate these business risks?

  • Education and continual reinforcement – Everyone at the institution needs to understand the risks and be educated on what can be done to reduce them. 
  • Collaboration – Dedicate time to discussion and collaboration cross-functionally.
  • Know your team – Commit time to learning your team’s collective strengths and weakness, and allow people to use their strengths even if it’s outside their specific job description.
  • Stay forward focused – Allot time to prepare various risk scenarios and responses.
  • Make it a game – Lighthearted competition and rewards maintain focused attention on the risks, which often results in creative, unique, applicable solutions. For example, some institutions may offer a half day off to employees or teams with the best solutions that quarter.

An approach of consideration, collaboration, and implementation in addressing not just these risks but all business risks between departments creates the potential for significant positive impact for everyone — students, fellow employees, parents, and in turn, the world these people touch.

CapinCrouse can assist your organization with GLBA compliance, preparing the new financial viability ratios, and other challenges and opportunities. Learn more on our website or by contacting us at [email protected]. 

This article was originally published in Christian Academia Magazine. It has been updated.

Patricia Willhite

Patricia is a Senior Manager at CapinCrouse. Patricia joined CapinCrouse in 2007 and has served many different types of nonprofit organizations. She specializes in providing assurance services, with special emphasis in employee benefit plans and Uniform Guidance engagements. In addition, she has provided advisory and consulting services to numerous organizations.

Leave a Comment