Click here to download a PDF of this article.

Institutions are required to demonstrate administrative capability to participate in Title IV programs, which includes a wide range of requirements such as adhering to all statutory provisions, ensuring the institution is adequately staffed with capable administrators, maintaining policies and procedures, establishing and maintaining records, providing financial counseling to students, and referring potential fraud to the Office of the Inspector General. One of the more complicated requirements of administrative capability is that an institution administer Title IV programs with adequate checks and balances in its system of internal controls. Many directors of financial aid do not have a background in auditing or accounting and applying these concepts to the everyday tasks of managing a financial aid office can be daunting.

The 2021 Federal Student Aid Conference presentation “Top Audit and Program Review Findings” provides a high-level overview of the components of internal control and some general ideas for using those components to address audit findings.  This article will explain the key concepts of internal control and will apply this framework in detail to one of the most common audit findings identified by the U.S. Department of Education (ED) – inaccurate and untimely enrollment reporting.

Understanding Internal Control

A basic definition of the phrase “internal control” is that it describes the intentional activities completed by an organization to achieve objectives that are important to the organization.

The 2021/22 Federal Student Aid (FSA) Handbook (Volume 4, Appendix B) defines internal control in the context of Title IV administration as “a school’s plan of organization and all the policies, procedures, and actions taken by the school to provide reasonable assurance that the school will achieve its objectives in the following areas: effectiveness and efficiency of operations; accuracy of operating data; reliability of program reporting; protection of funds against fraud and misuse; [and] compliance with organizational policies and applicable FSA laws and regulations” (p. 4-196).

The 2021/22 FSA Handbook (p. 4-200 – 4-206) also identifies the minimum checks and balances that should be in place at every institution as internal control activities for administering Title IV funds, including:

  1. Ensuring separation of functions: Although many functions benefit from dividing duties among several employees to reduce the risk of collusion and fraud, the functions of authorizing and awarding Title IV aid must be separate from the function of disbursing Title IV aid.
  2. Taking monthly trial balances to ensure accounts are in balance: The institution’s accounting office should be performing at least a monthly check to ensure that debit and credit balances are equal and reviewing and resolving any discrepancies.
  3. Completing a monthly reconciliation of the accounting ledger with bank balances: The institution’s accounting office should be performing a monthly check to ensure that the cash balance shown in the institution’s accounting records matches the school’s bank statement. Any discrepancies should be reviewed thoroughly and adjusting entries to the general ledger should be made when appropriate.
  4. Completing a monthly reconciliation for each Title IV program: Institutions are required to complete a separate monthly reconciliation for each Title IV program in which they compare the drawdowns from G-5 that occurred during a 30-day period to the amount disbursed to students or returned to ED. Any discrepancies should be reviewed thoroughly and the reasons for the discrepancies (often timing issues) documented. The 2021/22 FSA Handbook provides detailed instructions on Pell Grant and campus-based reconciliation and Direct Loan Program reconciliation.
  5. Ensuring adequate controls over electronic data processing: Institutions are responsible for safely maintaining electronic data by engaging in activities such as creating policies and procedures to protect the student information system (SIS) and other sensitive systems, providing unique logins to users and requiring regular password updates, ensuring that faculty and staff have access only to those functions necessary to perform their job duties, and performing regular system back-ups.

The U.S. Government Accountability Office (GAO) provides the framework for internal control used by ED and other federal agencies in its manual called the “Green Book.” The three categories of goals identified by the GAO’s Green Book include operations, reporting and compliance (p. 5).  The Green Book also provides five interrelated components of internal control, with seventeen underlying principles. The five interrelated components of internal control described in both the Green Book and the 2021/22 FSA Handbook, detailed below,  include maintaining an effective control environment, completing risk assessments, developing control activities, communicating important information, and monitoring.

Control Environment

The control environment is about the values and people of the organization. In an effective control environment, the employees are trained and competent, understand their responsibilities and authority, are committed to ethical behavior, and are accountable for their performance. In the context of Title IV administration, a strong control environment would include an experienced and knowledgeable director of financial aid ( or other coordinating official), regular and ongoing training in Title IV compliance, a clear code of conduct, a culture of continuous improvement in which errors and challenges are openly discussed and addressed, and an understanding that Title IV compliance is an institutional responsibility and not just a financial aid office responsibility.

Risk Assessment

The risk assessment is about understanding the range of errors and fraud that could occur in an organization. A thorough risk assessment would require an organization to consider the various types of error and fraud that are possible, understand the pressures and complexities associated with completing tasks, and identify ways that controls could be circumvented. In the context of Title IV administration, a risk assessment would include reviewing the most detailed and time-sensitive procedures to identify potential weaknesses. It would also include reviewing system access by role or employee to ensure segregation of duties and to minimize opportunities for collusion and fraud. The 2021/22 FSA Handbook (pp. 4-197 – 4-198) identifies four scenarios that it considers high risk including a change in the operating environment (a new regulation, state law, or accreditor procedure), new personnel, new or revamped information systems, and the rapid growth of an institution.

Control Activities

Control activities include the use of information systems, policies and procedures, segregation of duties, and reporting to achieve the organization’s objectives. Managers use control activities to ensure work is being performed as expected, and to identify and quickly address any areas of non-compliance. In the context of Title IV administration, control activities would include developing and updating policies and procedures, creating checklists and processing worksheets to ensure consistency, and developing reports to ensure the department is adhering to statutory timeframes.

Information and Communication

Accurate and timely information to and from key constituencies is essential to developing and maintaining internal control. Information systems may be both informal (such as feedback during a team meeting) and formal.  In the context of Title IV administration, financial aid directors must stay abreast of changes to federal requirements and ensure the information is properly communicated to colleagues. Additionally, communication includes the accurate and timely completion of compliance-related reports and disclosures.


Monitoring refers to developing a baseline of performance, identifying and developing tools (reports, dashboards, internal audits) to monitor performance, and using those tools to promptly identify deficiencies. Essentially, the purpose of monitoring is to ensure that control activities are effective and being performed according to the policies and procedures. In the context of Title IV administration, monitoring would include regular secondary reviews of high-risk procedures (for example, R2T4 calculations) and the sampling of transactions to ensure accuracy and timeliness (for example, Title IV credit balance refunds). Although monitoring activities should be occurring in the financial aid office on a regular basis, they should also include independent checks such as internal audits that are not completed by financial aid office personnel and the results should be shared with the institution’s leadership.

In summary, an effective system of internal control in Title IV administration requires competent and trained employees (control environment), a thorough understanding of potential errors and risks associated with processes and responsibilities (risk assessment), policies, procedures and tools to properly perform compliance tasks (control activities), timely and clear communication on the regulations and compliance challenges to internal and external constituencies (information and communication), and regular auditing activities to ensure that processes are being performed correctly and timely (monitoring).

Applying the Components of Internal Controls to Enrollment Reporting

Schools are required to certify students’ enrollment status to the National Student Loan Data System (NSLDS) at minimum every 60 days. This article doesn’t address the specifics of the enrollment reporting requirements and instead focuses on the process through the lens of the five interrelated components of internal control. Institutions may find the September 2021 version of the NSLDS Enrollment Reporting Guide helpful in understanding detailed enrollment reporting requirements.

Inaccurate and untimely enrollment reporting is a common audit finding because the enrollment reporting requirements are complex and require coordination across campus(es). Correctly reporting students’ enrollment statuses might require extracting detailed information from the school’s SIS, reporting on multiple academic calendars, timely reporting of student attendance by faculty, the correct and timely manual data entry of enrollment status changes and graduation information, monitoring student data that changes throughout the term, and sustained coordination between the financial aid office and the office that completes enrollment reporting (often the registrar or records office).

Creating an effective control environment for enrollment reporting

Although it is often the financial aid director or registrar who must respond to audit findings related to enrollment reporting, the findings are often at least indirectly related to activities that occur outside of these offices. Creating an effective control environment for enrollment reporting requires an understanding that the responsibility for timely and accurate enrollment reporting extends throughout the institution.

As a first step in creating an effective control environment for enrollment reporting, an institution should identify all personnel with a role in the process, which may include employees from the registrar’s office, financial aid office, degree evaluation office, academic advising office, and faculty. It should ensure all parties are informed of the importance of timely and accurate enrollment reporting and the consequences of failure to comply for both students and the institution. As untimely reporting of student attendance by faculty is often a contributing factor in enrollment reporting errors, institutions could consider formal accountability measures for complying with attendance reporting policies in faculty contracts and performance reviews.

A team could be charged with developing and providing role-specific and timely ongoing training for personnel who interact with the process. For example, faculty could receive regular reminders of the relevant procedures around the times that most enrollment reporting activities requiring their participation occur. Finally, it’s important to ensure that any new employees receive training prior to interacting with the process.

Completing a risk assessment for enrollment reporting

To complete a comprehensive risk assessment for enrollment reporting, an institution needs to consider the data, people and systems that interact with the process. Although institutions have unique risks related to their systems and processes, common errors to consider include incorrectly reported enrollment status and program change effective dates, the failure to capture and report off-cycle information (for example, a degree posted late), the use of outdated CIP codes, and the failure to ensure that the withdrawal date used in the R2T4 calculation matches the withdrawal date in enrollment reporting. If an institution has recent audit findings related to enrollment reporting, it has a head start on identifying some of its risks.

Be sure to consider system and access related risks. For example, the files produced by the SIS should be thoroughly reviewed to ensure they are correctly capturing all required fields. Any time a system update occurs that impacts data elements used in the reporting, the files should be re-checked for accuracy. Also, consider who has access to update student records that are included in the enrollment reporting process. Are faculty and staff able to change and backdate enrollment information? Who should be permitted to make changes to student enrollment data? As indicated in the minimum checks and balances identified in the 2021/22 FSA Handbook, to mitigate risk institutions should ensure that faculty and staff have access only to those functions necessary to perform their job duties.

Personnel changes can also create significant risk. Does only one employee know how to generate and submit the enrollment reports? Does only one employee receive error reports from file submissions? What happens if that employee must take an extended leave or departs from the institution?

Many institutions use the National Student Clearinghouse as a third-party servicer for enrollment reporting to NSLDS. Whereas use of the National Student Clearinghouse may make some processes easier for schools, it can also introduce a layer of complexity that should be examined for potential risks. Institutions should ensure that the files submitted to the National Student Clearinghouse are being transmitted to NSLDS as expected.

Another risk identified in the 2021/22 FSA Handbook is changes to regulations. The Distance Education and Innovation Final Rule made several changes to the R2T4 calculation including three new exemptions to performing the calculation, which require revisions to the procedures for reporting the student’s status to NSLDS. This change to enrollment reporting requirements creates a risk in that it requires institutions to review their policies and procedures, determine if their student information systems are configured to report the data as required, communicate determinations regarding the exemptions between offices, and may require manual updates to NSLDS records.

In some cases, disproportionate risk is related to a particular academic program or department. For example, if there is a program that maintains a separate academic calendar, that program may present unique risks related to enrollment reporting as the term dates reported will differ from those of students in other programs. A one-time institutional initiative can also create risk. For example, an institution may complete a review of degree audits for separated students who didn’t graduate to determine if course substitutions or late-arriving transfer credit can be used to graduate them. Such an initiative would require off-cycle reporting of graduation information to NSLDS.

Don’t be overwhelmed if the institution develops a very lengthy list of risks – start by focusing on developing controls for the most likely risks.  Be sure to repeat the risk assessment process regularly to identify emerging issues.

Developing control activities for enrollment reporting

There are many controls an institution can develop to improve compliance with enrollment reporting requirements and mitigate the risks it identified. First, an institution should develop detailed policies and procedures and a step-by-step desk manual for the enrollment reporting process. Thoroughly documented processes are needed to give clear direction to personnel performing these tasks, to provide to auditors, and to allow for adequate monitoring of activities.

Planning and scheduling are effective control activities because they require the institution to proactively consider when tasks should be completed. The institution should determine and document an enrollment reporting schedule in advance of every academic year and ensure that enrollment files are submitted according to that schedule.  Many enrollment reporting audit findings are related to late-reporting, and frequent and scheduled enrollment reporting rosters can reduce this risk.

An institution should  also identify and document the personnel responsible for submitting enrollment reports and responding to enrollment error reports from NSLDS. Responsible personnel should include a person with the primary responsibility but also one or more employees who serve as back-up and are well-trained in the process and able to assist as needed.

If enrollment reporting requires faculty interaction, develop forms and procedures for faculty to comply and immediately reach out to faculty members who do not respond timely. If necessary, escalate the issue to the academic department with a reminder of the consequences of untimely and inaccurate enrollment reporting.

Finally, use the reports available in NSLDS to ensure acceptable levels of compliance. For example, an institution can download the Enrollment Statistics Report (ENLST1) provided by NSLDS to identify any compliance issues and resolve those issues before warning letters begin.

Maintaining appropriate information and communication for enrollment reporting

Because enrollment reporting involves multiple areas of the college, information and communication are particularly important. An institution should schedule regular meetings with relevant financial aid office and registrar staff to ensure coordination of the enrollment reporting process.  Scheduling regular check-in meetings with the personnel who perform these tasks is important as such discussions can lead to insights related to compliance challenges and aspects of the procedures that aren’t working as planned.

The director of financial (or other responsible party) must monitor for changes to requirements to enrollment reporting, notify officials on campus of the changes, and ensure the changes are implemented. Communications should be role-specific to be meaningful – the recipient of the information needs to understand what the change means for their responsibilities.

Financial aid directors and registrars frequently bemoan faculty who do not comply with college policies related to attendance taking because late reporting by faculty makes timely and accurate enrollment reporting more challenging. However, it is likely that many faculty members have not been informed that untimely reporting could cost the student their loan grace period or result in the student owing an overpayment of financial aid.  This is an example of why communication is so essential to internal controls – it contributes to an effective control environment by ensuring that everyone at the institution understands what is at stake in maintaining compliance.

Developing monitoring activities for enrollment reporting

There are many ways to monitor that enrollment reporting is being completed correctly. The monitoring activities should relate directly to the controls the institution has developed for this process.

For policies that require faculty participation, an institution can monitor for compliance by academic department (or equivalent, depending on the institution’s structure) . Some institutions have created monitoring tools like academic department “scorecards” that track the percentage of courses per academic department that have attendance rosters submitted by the deadline. Such monitoring tools can be helpful in targeting interventions to the departments and individual faculty members who are not complying.

Another monitoring activity is to require the team with the responsibility for submitting the enrollment files to provide a monthly copy of the Enrollment Statistics Report provided by NSLDS to management. This individual could also prepare a high-level summary of the activities (records submitted, number of errors, nature of errors, etc.) to provide confirmation that the established reporting schedule is being followed and the process is being monitored for necessary corrections.

The institution can perform ongoing internal audits or reviews of the types of enrollment reporting it identifies as high risk. For example, if an institution finds that reporting the withdrawal date for unofficial withdrawals is high risk (perhaps due to a prior audit finding), it can sample a percentage (or all, depending on volume) of the enrollment reporting for unofficial withdrawals to ensure the information was reported accurately and recorded in NSLDS. If an institution identifies reporting off-cycle graduations as a risk,  it can review a sample (or all, depending on volume) of the graduations reported to NSLDS each month.

Whereas it can be disappointing to recognize through monitoring activities that internal controls are not working as planned, this is a sign of successful monitoring. If monitoring activities uncover that errors are occurring related to enrollment reporting, the institution can revisit its controls and make the necessary modifications to improve compliance.


If you have any questions or need assistance in identifying opportunities to strengthen your system of internal control, please contact Dr. Cynthia Grunden, Financial Aid and Higher Education Specialist, or the Powers professionals with whom you regularly work.

Leave a Reply