EDUCAUSE Requests Delay/Rewrite of Safeguards Rule Audit Requirement

(April 6, 2017 – Jarret Cummings) On March 29, 2017, EDUCAUSE joined the National Association of College and University Business Officers (NACUBO), the Council on Governmental Relations (COGR), and the National Association of Student Financial Aid Administrators (NASFAA) in asking the federal Office of Management and Budget (OMB) to delay and/or rewrite a “federal single audit” requirement proposed by the Federal Student Aid (FSA) division of the U.S. Department of Education. The requirement as written would introduce Gramm-Leach-Bliley Act (GLBA) Safeguards Rule compliance into the single audit process, but in a potentially expensive and ineffective way. EDUCAUSE and its partner associations asked OMB to delay introducing the requirement until FY 18 to allow time for FSA to work with affected stakeholders on improving it. Absent that, the associations asked OMB to use the alternative version of the requirement proposed by the National State Auditors Association, which had also proposed an overall delay in implementation as its first option.

Given the amount of federal funding colleges and universities receive, they generally fall under the “federal single audit” framework, which provides a unified process for institutional audits that covers all federal programs from which an institution receives funding. The single audit process includes audit requirements for specific programs as necessary, though, to address oversight concerns unique to those programs. FSA proposed to add such an audit requirement for FY 17 to cover institutional compliance with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule.

While introduction of the proposed audit requirement is consistent with FSA’s previous guidance, EDUCAUSE and its partner associations noted that the national associations for state auditors and certified public accountants (CPAs) had both expressed concerns that the audit requirement as written lacked objective audit criteria. The Safeguards Rule provides institutions with considerable discretion in determining how to “reasonably” fulfill its requirements, reflecting the flexibility written into GLBA itself. The legislative intent is clear — policymakers didn’t want to tell covered entities how to conduct their risk assessments, for example; they just wanted to ensure that organizations made good-faith efforts to assess their information security risks and plan accordingly. This flexibility can become a liability in an audit, however, if a requirement based on the Rule is not written to focus on matters that can be objectively evaluated, as opposed to the judgments applied by the institution where the law leaves such determinations in the hands of the institution.

Thus, incorporating the Safeguards Rule as written into the federal single audit, which is what FSA’s proposal does, would force institutions to add expensive IT audit specialists to their audits while not ensuring that any negative findings would be truly objective. Under the proposed requirement, such findings could result from differences in opinion between IT staff and auditors over what counts as “reasonable.” And given that preparations for FY 17 audits are already well underway, colleges and universities would have to absorb any increased audit costs without having budgeted for them.

With this in mind, the letter from EDUCAUSE and its partners to OMB endorsed the position of the state auditors and CPAs that OMB should not implement the Safeguards Rule audit requirement until FY 18. This would allow for dialogue between FSA and affected stakeholders on rewriting the requirement to remove any subjective elements. If the OMB felt compelled to proceed with the requirement for FY 17, however, then the associations advocated for OMB to replace the proposed requirement with one that reflects objective criteria, consistent with the state auditors’ proposal.

EDUCAUSE is working with its partners to engage OMB and FSA in further dialogue on this issue. We have also solicited and received the support of several major higher education presidential associations, which collectively have submitted comments in support of the NACUBO/EDUCAUSE/COGR/NASFAA position. In the interim, the state auditors’ comments on the proposed requirement indicate what institutions will face if it is implemented without adjustment. EDUCAUSE members should consider talking with their business and finance counterparts about where a Safeguards Rule audit requirement may fit into the institutional audit process and what they should do to prepare.

Jarret Cummings is the Director of Policy and Government Relations for EDUCAUSE.