College Admission Scandals: A Good Time for Internal Audit to Review Recruiting and Remissions Practices
November 9, 2019
Many of our institutions of higher education have been impacted by a variety of college admission scandals over the past year. These scandals hit the industry[1] hard and raised many questions from stakeholders. These incidents are a good reminder, as audit professionals, that we can add value to our institutions through reviews of admissions standards and the internal controls supporting admission objectives. Below are some examples of areas to consider during your next admissions process engagement.
We can add value to our institutions through reviews of admissions standards and the internal controls supporting admission objectives.
Unique Admissions Processes
One potential area for analysis are the processes for accepting transfer students into your institution. For example, institution officials may be relying upon the admissions review and vetting process completed at the student’s previous institution and may not require evidence of a student’s high school transcript or GED.[2] If your institution allows this kind of transfer admissions, consider the following:
- How does your institution ensure that transfer-in students are academically qualified[3] to receive Title IV federal financial aid if your institution does not get proof of graduation from high school or completion of a GED?
- If analyzed, would data on students admitted under unique admission processes be explainable or warrant further review? Will the data identify historical trends in unique admission numbers? For example, has your institution had a significant increase in recent years for unique admission types or admissions to one or two academic programs? Do these spikes warrant further review and detailed testing?
- Should your institution obtain assurance that the student’s transfer institution obtained proper evidence of high school completion or completion of a GED? Higher education institutions obtain assurance on other similar business processes, such as subrecipient monitoring requirements for compliance with Uniform Grant Guidance requirements or SSAE 18 certification for service organization controls. Therefore, why would you treat unique admissions any differently than those established control processes?
Remissions
Another risk area for your audit team to consider relates to tuition remissions, or what some call “tuition discounting.” Fraud risks exist within the remissions awarding and disbursement processes. One recent example of an alleged fraud in the remissions process occurred at Howard University where six staffers received tuition benefits in excess of cost and kept the remainder.[4]
It is imperative to know whether your institution has adequate controls and segregation of duties in awarding and disbursing funds via a remissions process.
Given these fraud risks, it is imperative to know whether your institution has adequate controls and segregation of duties in awarding and disbursing funds via a remissions process. Some additional considerations are:
- Run periodic or daily reports to identify employees that received remissions. From these reports, select a sample to determine whether there was proper award and disbursement of those remissions.
- For students that receive remission, what is the process for applying outside scholarships to a student’s account? Are outside scholarships consistently processed through your university’s financial controls?
- For institutions that use remissions as a way to recruit non-resident students, can these students change their residency status during their academic career? If so, how are residency status changes approved and monitored (one person, multiple individuals, a committee)? Are these residency status change controls working effectively?
Information Technology Practices and Privacy Laws and Regulations
Recent data privacy regulations, including GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act), increased privacy compliance risks in higher education. Auditors typically focus data privacy testing and control reviews on the current student population or alumni. However, your institution may also gather volumes of data on perspective students through a Customer Relationship Management system, which is often separate from your institution’s Enterprise Resource Planning system, creating additional risks. Institutions may also use a web traffic tracking software that gathers data about individual website visitors. Although these systems and software can be a great tool for recruiters, is your institution prepared to address a prospective student’s “right to be forgotten,” as provided under GDPR and CCPA?
An audit or consulting project within your institution’s admissions and recruiting operations in the near future may provide your institution great value based on the incidents impacting higher education and the related risks outlined above.
[3] The General Education Development (GED) test is an option for students to obtain certification of education equivalency to a high school diploma.
About the Author
David Terry
David Terry, CPA, CFE, CIA leads Portland State University’s Internal Audit Office. He has more than 17 years of experience in auditing and also holds positions as an audit committee member on two Oregon governmental audit committees.
Read Full Author Bio