OMB Compliance Updates for Higher Education Institutions
Schedule of Expenditures of Federal Awards
There can be many challenges in preparing an accurate and complete schedule of expenditures of federal awards (SEFA), especially with the significant COVID-19 stimulus funding from the federal government since 2020.
Knowing the Grants
First, it’s important for institutions to know their federal programs, whether they are in the form of financial assistance received directly from the federal government or passed through from another entity. It’s critical to understand each grant agreement and whether it is subject to Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) audit requirements.
There are many awards that fall outside of financial aid programs for postsecondary students authorized under Title IV of the Higher Education Act of 1965 (Title IV), as amended, such as other U.S. Department of Education programs and research and development grants. Institutions should obtain copies of all their grants from the grant-writing department or the individual writing the grants and review the USAspending.gov website for other grants they may have missed.
Since an in-relation-to opinion is issued on the SEFA, it must be materially correct in relation to the financial statements as a whole. Keep in mind that some grants that might not be material to the financial statements may be material to major program determination. Discovering a federal grant at the last minute during the audit can change both the scope and the required compliance testing and delay audit finalization.
COVID-19 Stimulus Money
Second, there is still federal COVID-19 stimulus money to be spent from new programs and additional funding for existing programs, as some grants do not end until 2024. This includes direct awards as well as indirect awards passed through the states. You can sometimes find these pass-through funds on USAspending.gov.
Other Federal Financial Assistance
Third, while some of these may not be typical for higher education institutions, institutions must determine if they have other federal financial assistance they should include on the SEFA, such as donated commodities, donated property, insurance, loans, or loan guarantees.
It is also important to note a recent change to the U.S. Department of Agriculture (USDA) Community Facilities Loan Program (ALN #: 10.766), which provides rural communities with access to loans. Prior to 2022, USDA only required that these loans be included on the SEFA in the initial year of the loan. Due to continuing compliance requirements other than just repayment, however, USDA now requires the institution to include these loans on the SEFA until repaid.
And finally, one other potential test for identifying missing grants is to complete a reconciliation of the SEFA to grant revenue on the Statement of Activities (SOA). Remember, Title IV and other grant expenditures are based on fiscal year disbursements, not on when cash is received, as the SEFA is typically on an accrual basis.
Common Findings Related to Title IV Programs
At the root of a non-compliance finding is an internal control deficiency. The examples in this section focus on the Title IV non-compliance finding rather than the underlying internal control deficiency. Examples of common non-compliance findings include the following:
- The institution did not return Title IV funds, also known as R2T4 funds, within the timeframe specified in 34 CFR §668.22 (j). This finding typically impacts Federal Direct Student Loans (ALN #: 84.268), the Federal Pell Grant Programs (ALN #: 84.063), and Federal Supplemental Educational Opportunity Grants (ALN #: 84.007) but would apply to any Title IV federal funds not earned with the exception of the Federal Work-Study Program (ALN#: 84.033).
- Students withdrew, either officially or unofficially, and the institution did not return unearned Title IV aid within 45 days from the date of determination that the withdrawal occurred.
- The institution did not correctly apply the new modular withdrawal regulations, which are complex. (See “Withdrawals from programs offered in modules” on page 18 of the Federal Student Aid Handbook, Volume 5, Chapter 2 and Program Integrity Questions and Answers – Return of Title IV Funds on the U.S. Department of Education website.) For example, does the institution understand whether the student is or is not meeting a modular withdrawal exemption? If institutions do not correctly apply these new regulations, students will not have a timely or correct R2T4 calculation performed.
- The institution did not correctly return aid for students who received all failing grades. (See “When students fail to earn a passing grade in any class” on page 13 of the Federal Student Aid Handbook, Volume 5, Chapter 2.) Institutions must be able to prove that students who have Title IV aid and do not have a passing grade attended the whole term and earned the failing grade and can therefore keep the aid. There are many ways an institution can do this, but it must have a procedure for determining whether a student who began attending a course completed the payment period and received a failing grade, or whether the student stopped attending class and failed due to nonattendance, which institutions should treat as a withdrawal.
For online programs, the institution must demonstrate that the student has participation that meets the definition of academic engagement as outlined in the regulations for an online course (34 CFR §668.22(l)(7) and 34 CFR §600.2). Without this process, a student who has received a failing grade is not considered to have begun attendance and the institution must return any Title IV aid disbursed.
- The institution returned inaccurate amounts of Title IV funds, per 34 CFR §668.22. If the return is calculated with the wrong information, it will result in incorrect amounts being returned to Title IV. The typical cause of inaccurate amounts being returned is an inaccurate number of days in the term or payment period due to not removing breaks of five days or more.
- The institution performed an incorrect need analysis and students were not initially awarded Title IV aid appropriately, based on need. If there are changes in a student’s information on the Institutional Student Information Report (ISIR), when a subsequent ISIR is produced, the institution must update the student’s federal financial aid awarding to reflect the revised information. Errors in need analysis for federal financial aid will lead to inaccurate awarding and disbursement of need-based federal financial aid, particularly as it relates to subsidized loans, per the “Direct Subsidized Loans vs. Direct Unsubsidized Loans” section on page 4 of the Federal Student Aid Handbook, Volume 3, Chapter 5.
- The institution improperly monitored satisfactory academic progress (SAP). For example, this can occur when a student becomes ineligible due to not making SAP and the institution does not have an approved appeal to reinstate eligibility as required by 34 CFR §668.34(c).
- The dates and amounts of Pell and Federal Direct Loan (FDL) awards posted to student accounts do not agree with disbursement records reported to Common Origination and Disbursement (COD) in accordance with 34 CFR §668.164(a). This is often caused when the institution reports the anticipated disbursement date instead of the actual disbursement date.
- The institution did not correctly report the enrollment status effective date for withdrawals to the National Student Loan Data System (NSLDS), per 34 CFR §685.309(b). However, there were many problems with enrollment reporting due to the July 2022 implementation of the updated NSLDS website.
Pell and FDL Reconciliations
Inaccurate Pell reporting could cause a student to exceed his or her lifetime limit. Inaccurate FDL reporting can impact a student’s interest accumulating period based on the dates of the loan disbursement. Timely and accurate reconciliations of the Pell and FDL amounts can prevent both of these situations.
To accomplish this, institutions must conduct a student-by-student reconciliation among all three systems (student accounts, student information system (SIS), and COD) in the months that funds are disbursed. It is also important to keep supporting documentation since the reconciliations are cumulative. Failure to take these steps will result in reconciliation issues and potential issues to the student’s lifetime Pell limits or interest charged on loans.
The U.S. Department of Education Federal Student Aid office has provided updated information to assist higher education institutions with reconciling the Pell Grant Program and the FDL Program. This information, which includes answers to common questions, applies to institutions’ financial aid and business offices.
Gramm-Leach-Bliley Act (GLBA)
GLBA compliance (16 CFR §314.4) is not a new area for higher education institutions. When the institution signs the program participation agreement (PPA), the institution attests to full compliance with GLBA as of the date it is signed. In addition, many institutions are audited on certain aspects of their compliance with GLBA through the Uniform Guidance audit requirements outlined in the 2022 OMB Compliance Supplement.
The three current areas required to be audited include:
- Designating an individual responsible for overseeing the information security program (program)
- Conducting a risk assessment that includes:
1. employee training and management;
2. information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
3. detecting, preventing and responding to attacks, intrusions, or other systems failures.
- Identifying related safeguards to mitigate the risks identified during the risk assessment process.
While only three areas are audited, full compliance is necessary, and it should be noted that the regulation has become more specific through a recent update. What were once viewed as best practices are being codified into specific regulations. While there were many changes within the update, a few relevant items are highlighted below. (Note: refer to the FSA’s partner resources for the latest updates to these requirements.)
The updates increase accountability.
- First, the institution must appoint a single individual responsible for the program (“Qualified Individual”). If an institution outsources this responsibility to a service provider, the institution must designate an internal staff member as responsible for oversight of the function. Previously there were no stipulations on who could be appointed responsible, and many institutions designated a committee to fill this role. While the designated individual will likely continue to coordinate with other members of the institution when implementing components of the program, the designated individual is ultimately responsible for oversight.
- Second, the Qualified Individual should submit an annual, written report to the board on the effectiveness of the program. This report should address critical areas such as risk assessment, risk management, control decisions related to mitigating identified risks, service provider arrangements, the results of testing, security events or violations and management’s response, and recommendations for changes to the program.
The updates also require the risk assessment to be formalized in writing. Written assessments are key to ensuring documentation of critical risks, mitigating controls, and the institution’s decision for mitigating or accepting each risk. Without this documentation, institutional knowledge can be lost with staff turnover, and relevant risks may not be identified and sufficiently mitigated.
Another key aspect of protection is employee training. Regular training is essential to ensure staff understand their role in protecting sensitive information and can identify potential threats to that data. Institutions with strong training programs also tend to have better buy-in from their employees when new controls must be implemented. It is also important to include management teams and your board in awareness programs. When leadership teams understand the risks and the need for certain controls, they are more likely to provide the necessary support and allocate additional funds in the budget for the critical controls.
Institutions must also have a formal incident response plan. Documenting what the institution will do if a cyberattack occurs is imperative to ensure the incident can be mitigated and resolved effectively. Plans should incorporate areas such as who to notify, basic procedures to follow, and the identification of clear roles and decision-making responsibilities.
Service provider oversight is another component of compliance. GLBA requires institutions that outsource certain functions to third parties to hold their vendors accountable contractually for maintaining safeguards to protect covered data. Processes must also be established to vet the relationships initially and monitor each on an ongoing basis.
The original deadline to implement various components of the update was December 9, 2022; however, the Federal Trade Commission has extended the deadline for compliance to June 9, 2023.
Achieving and Maintaining Compliance
As these OMB compliance updates highlight, there are many factors and challenges for higher education institutions and their auditors to be aware of, implementing, and monitoring. Staying up to date on changes and common challenges can help institutions achieve and maintain compliance.Sign up for e-news and alerts