(GENERAL-23-83) Single Audit Guidance: Suggested Audit Procedures for 2023 Compliance Supplement Special Test and Provision 3 - Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device

Federal Student Aid (FSA) is issuing this Electronic Announcement to provide guidance to institutions and auditors evaluating institutional compliance with the requirements for using a servicer or financial institution to deliver credit balances to a card or other access device under the Department’s regulations at 34 C.F.R. 668.164(e) and (f).

FSA has become aware that, in certain circumstances, auditors may not be able to perform one of the suggested audit procedures in the 2023 Compliance Supplement for Special Test and Provision 3 - Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device. The information needed to perform the suggested audit procedure may not be available to the institution under audit because there is no current requirement for a servicer or financial institution to provide the information to the institution and/or to the auditor that is needed to perform the suggested audit procedure.

The suggested audit procedure is procedure b.(2), which provides “for sample of students for whom a financial account under the [tier one or tier two] arrangement was opened, [the auditor should] determine whether the school informed the student of the terms and conditions of the financial account and obtained the student’s consent to open the financial account.”

The regulations require an institution to ensure that a student's consent to open the financial account is obtained before an access device like a bank card or other means needed to access the financial account, or any representation of an access device, is sent to the student, except that an institution may send the student an access device that is a card provided to the student for institutional purposes other than electronic fund transfers, such as a student ID card, so long as the school or financial institution obtains the student's consent before validating the device to enable the student to access the financial account (34 CFR 668.164(e)(2)(i) and 668.164(f)(4)(i)(B)).

The regulations at 34 C.F.R. 668.161(a)(2)(i) define an access device as a card, code, or other means of access to a financial account, or any combination thereof, that may be used by a student to initiate electronic fund transfers.

In any instance where an access device is provided to a student and that access device does not serve an institutional purpose other than electronic fund transfers, it is the institution’s responsibility to ensure that the student’s consent has been obtained before the access device is validated, even if the consent is obtained through the financial institution, allowing the student to access the financial account. In this situation the auditor would be expected to perform all suggested audit procedures as laid out in the Compliance Supplement. The institution must have adequate internal controls in place to ensure the accuracy and completeness of its information for each student who is provided with an access device. Failure to maintain documentation sufficient to demonstrate compliance could result in an audit finding that the institution lacks suitable internal controls and may also result in a scope limitation with regard to this Tier 1/Tier 2 requirement.

In any instance where an access device that does serve an institutional purpose other than electronic fund transfers is provided to a student prior to validation of the access device, the institution or the financial institution must obtain the student’s consent before validating the device and allowing the student access to the financial account.

We have been informed by members of the audit community that in situations where an access device is provided to students for institutional purposes other than electronic fund transfers, such as a student ID card, and the access device is validated after being sent to the student, only the financial institution would have information on those students that chose to activate the access device through the financial institution. The audit community has also informed us that some financial institutions have declined to provide auditable information to develop a sample and perform the suggested audit procedure.

Based on this information, auditors are not required to perform suggested audit procedure b.(2) from the 2023 Compliance Supplement in situations where:

This guidance is effective for any Single Audit performed using the 2023 Compliance Supplement. FSA will clarify this suggested audit procedure in the 2024 Compliance Supplement.