UPDATE: Pending FSA Audit Requirement on Safeguards Rule

(April 17, 2017 – Jarret Cummings) The following information was sent to the EDUCAUSE CIO listserv on Friday, April 14, 2017.

The FY17 federal single audit process affects most institutions and has generally already started. An audit requirement for Gramm-Leach-Bliley Act (GLBA) Safeguards Rule compliance may soon be added to it. Input from EDUCAUSE and others will likely lead to a final version that is objective and focused on the Rule’s core elements. It is not clear yet, however, if our proposal to delay implementation until the FY18 audit will be accepted. In the interim, members should talk with their business offices about the audit process and what may be needed to establish Safeguards Rule compliance. NACUBO has alerted business officers about the need for these discussions. Please see below for more details.

Detailed Review

I recently issued a Policy Spotlight post (http://goo.gl/ogteoo) on a “federal single audit” objective proposed by the U.S. Dept. of Education (ED) Office of Federal Student Aid (FSA) for the FY17 audit process, activities for which are already underway at most institutions. (Any institution with federal funding of $750,000 or more, which includes federal student aid, would be required to conduct a federal single audit annually.)

The new audit objective is intended to check for institutional compliance with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule; FSA had previously indicated it would work toward auditing for that purpose after having incorporated a Safeguards Rule provision in the agreement institutions sign to participate in student financial aid programs (http://goo.gl/Ons9dD).

As explained in the recent Spotlight post, a number of higher education associations as well as groups representing state auditors and certified public accountants (CPAs) submitted comments expressing serious concerns about an initial draft of the audit objective. We asked that its implementation be delayed and that the objective be rewritten to reflect non-subjective, more fact-based audit criteria.

The initial response from the Office of Management and Budget (OMB), which oversees the federal single audit requirements, was positive in terms of rewriting the objective. While the text of the objective is not yet publicly available, we believe the final version will ask auditors to determine, consistent with the Safeguards Rule (http://goo.gl/JB6Laj; see also: http://goo.gl/6iSK0z), whether the institution has:

  1. Designated an employee to coordinate its information security program;
  2. Conducted a risk assessment that checks for “reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information” across broad categories discussed in the Rule; and
  3. Designed and implemented safeguards to address each of the risks identified in its risk assessment.

The OMB response did not address, however, the first request, which was to delay implementation of the audit objective until the FY18 audit. In light of this, EDUCAUSE again worked with its core partners on this issue (NACUBO, COGR, NASFAA) to submit a second letter reiterating the need to delay the objective until the FY18 audit process, given that introducing it into FY17 audit activities, which have generally already begun, would be disruptive and potentially costly.

We do not yet know how OMB will respond to our latest comments, but in the interim, NACUBO has issued an alert to its members which could generate questions for EDUCAUSE members about Safeguards Rule compliance (http://goo.gl/AsO5EN). I will provide further information to the community as I can, but in the interim, it would be worthwhile to talk with your business office about the institution’s federal single audit process and what documentation your auditors may need to see based on what I have identified above.


Jarret Cummings is the Director of Policy and Government Relations for EDUCAUSE.