TPS Independent Audit vs. Supplemental Audit Letter & Best Practices
If you have been keeping up with the recent developments in the Third-Party Servicer (TPS) guidance issued by the U.S. Department of Education (ED), you would have noticed significant activity in just the past few weeks. First, the comment period for Dear Colleague Letter (DCL) GEN-23-03 closed with an overwhelming response of over 1100 comments. Subsequently, 2U filed a lawsuit against ED, challenging the new requirements on the grounds that ED lacks the regulatory authority to impose such mandates on entities providing services to Institutions of Higher Education (IHE). Finally, ED recently announced on April 11, 2023, that the effective date for the final guidance will be delayed from its original target of September 1. Clearly, this new guidance has generated considerable attention, and we are committed to staying updated on the latest developments. In case you missed our previous article on this topic, we recommend reviewing it here before reading on.
While we all await the final TPS guidance to be published by ED, we maintain the view that the number of companies meeting the revised TPS definition in the future will be considerably larger compared to the previous definition. Therefore, it is crucial for organizations to proactively plan for the implications of being classified as a TPS to mitigate overall risk and ensure successful support of IHEs in the long-term.
In line with our approach of addressing TPS-related matters, we would like to highlight an important aspect of the latest DCL, which was initially introduced in the 2016 DCL GEN-16-15 and has remained largely unchanged since then. This pertains to ADT-Q1 from the Q&A section, which covers the Supplemental Audit Letter.
Let's examine the language used to determine which TPSs are eligible to file a Supplemental Audit letter in lieu of an independent audit. The exception to an annual independent audit hinges on the interpretation of the phrase "In cases where Title IV services or functions performed by a TPS are not covered in the OIG's audit guide..." Specifically, the question arises: what does 'not covered' mean? Does it imply that no aspect of the audit guide is applicable to the services provided by a TPS? This would be implausible, as one of the sections of the audit guide (Chapter 4, C.11) pertains to the review of contracts to ensure they contain the necessary language. Moreover, for EdTech companies, the Gramm-Leach-Bliley Act (GLBA) requirements (Chapter 4, C.8) in the audit guide are applicable regardless of the types of technology services offered.
Therefore, we believe that 'not covered' should be interpreted in the context of whether the TPS's services are generally addressed in the Compliance Requirements and Attest Procedures, and that references to GLBA and contract terms alone are not sufficient to qualify as "covered" in the audit guide. This interpretation is reasonable, considering that the TPS examples provided by ED in the DCL would have services that fall under these two sections.
If you are still uncertain about opting for the Supplemental Audit Letter approach, it is worth considering an additional point: there have been no changes to the response to ADT-Q1 since its initial issuance in 2016, except for the substitution of a different example in the latest DCL. Specifically, the example of Title IV refund checks has been replaced with services for prospective students. This change in examples suggests that ED perceives these types of services as falling outside the scope of the audit guide and, therefore, anticipates that the audit supplement letter will be provided by the TPS.
Additionally, based on feedback obtained from various independent audit firms, it has come to our attention that the Supplemental Audit Letter for Title IV default prevention services is frequently encountered in their audits. Based on a thorough analysis of all these factors, it is evident that the letter option is here to stay and is a valid substitute for an independent audit until the audit guide is revised and updated to include the services of the newly defined TPSs.
Considering everything, let's review best practices for providing the Supplemental Audit Letter instead of an independent audit, if you qualify and elect to do so.
The fundamental principles and purpose underlying the scope of the independent auditor's examination are equally applicable to your internal review. Therefore, it is imperative to approach the letter with the perspective of an external party. Your organization may need to enhance its documentation of internal controls and procedures to substantiate the attestations made in the letter.
Conduct a comprehensive assessment of your information security protocols, with particular emphasis on safeguarding FERPA data. It is imperative to establish a robust Information Security Program that aligns with the guidelines set forth by the GLBA and the Federal Trade Commission (FTC). It is crucial to thoroughly review and adhere to the provisions outlined in GENERAL-23-09.
The CEO of the TPS is included in the Audit Supplement Letter for a specific purpose. ED intends to hold the CEO responsible if the information presented in the letter is found to be inaccurate or deceptive in the future. As the CEO, it is crucial to seek assurances from your team that they adhere to these requirements, and a stringent standard must be set to eliminate any ambiguity about compliance. If you do not hold the CEO position, it is essential to be prepared to substantiate your work and demonstrate to the executive leadership of your TPS that you meet the necessary requirements.
It is important to note that you bear joint and several liability for any violations that occur at your client institution. Therefore, we recommend carefully reviewing and revising your contracts to minimize your risk exposure. This includes conducting a thorough assessment of your client risk profile and identifying any potential high-risk clients who may not be worth the long-term revenue. Additionally, it is prudent to evaluate your insurance coverage to ensure it is adequate in the event of a penalty imposed by ED.
Be prepared to respond to an auditor from a school that asserts the need for an independent audit based on their differing interpretation of the ADT-Q1 guidance. To address this situation effectively, we recommend contacting the TPS Oversight Group at ED via email at fsapc3rdpartyserviceroversight@ed.gov, to seek confirmation of your understanding that the services you provide are not subject to the audit guide.
Honorable mention: after consultation with multiple independent auditors, we developed an additional alternative for TPSs: engaging an independent auditor to review and test the attestations in the Supplemental Audit Letter. We consider this approach to be a hybrid solution that offers a suitable level of risk management while optimizing the balance between administrative efforts and costs. If you find the right audit partner, this option should result in reduced administrative overhead for the organization and greater cost-effectiveness.
We appreciate your engagement in our in-depth analysis of the independent audit exception. We welcome your feedback on our interpretation of the guidelines and suggestions for future topics. Please feel free to contact us or share your thoughts in the comments wherever this article is shared.