FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
104
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
Report of the Independent Auditors
UNITED STATES DEPARTMENT OF EDUCATION
OFFICE OF INSPECTOR GENERAL
THE INSPECTOR GENERAL
400 MARYLAND AVENUE, S.W., WASHINGTON, DC 20202-1510
Promoting the efficiency, effectiveness, and integrity of the Department’s programs and operations.
January 23, 2023
The Honorable Miguel Cardona
Washington, D.C. 20202
Dear Secretary Cardona:
The enclosed Independent Auditors’ Report (report) covers the U.S. Department of Education’s
(Department) consolidated financial statements for fiscal years 2022 and 2021 to comply with
the Chief Financial Officers Act of 1990, as amended. The report should be read in conjunction
with the Department’s financial statements and notes to fully understand the context of the
information contained therein.
We engaged the independent certified public accounting firm KPMG LLP (KPMG) to audit the
consolidated financial statements of the Department as of September 30, 2022, and 2021, and
for the years then ended. The contract requires that the audit be performed in accordance with
U.S. generally accepted government auditing standards and Office of Management and Budget
bulletin, Audit Requirements for Federal Financial Statements.
Results Presented in the Independent Auditors’ Report
KPMG reports:
• A disclaimer of opinion on the fiscal year 2022 consolidated financial statements
because KPMG has not been able to obtain sufficient appropriate audit evidence to
provide a basis for an audit opinion.
• The fiscal year 2021 consolidated financial statements are presented fairly, in all
material respects, in accordance with U.S. generally accepted accounting principles.
• One material weakness in internal control over financial reporting:
o Controls over the Relevance and Reliability of Underlying Data Used in Credit
Reform Estimates Need Improvement.
• Two significant deficiencies in internal control over financial reporting:
o Information Technology Controls Need Improvement, and
o Entity Level Controls Need Improvement.
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
105
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
Page 2 – The Honorable Miguel Cardona
KPMG is responsible for the auditors’ report dated January 23, 2023, and the conclusions
expressed therein. We do not express opinions on the Department’s consolidated financial
statements or internal control over financial reporting, or on whether the Department’s
financial management systems complied substantially with the three requirements of FFMIA, or
conclusions on compliance and other matters.
We appreciate the cooperation given KPMG and my office during the engagement. If you have
any questions or would like to discuss the report, please contact me at (202) 245-6900.
Sincerely,
Sandra D. Bruce
Inspector General
Enclosure
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
106
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
Independent Auditors’ Report
Inspector General
United States Department of Education
Secretary
United States Department of Education:
Report on the Audit of the Consolidated Financial Statements
Disclaimer of Opinion on Fiscal Year 2022 Consolidated Financial Statements
We were engaged to audit the consolidated financial statements of the United States Department of Education
(Department), which comprise the consolidated balance sheet as of September 30, 2022, and the related
consolidated statements of net cost and changes in net position, and combined statement of budgetary
resources for the year then ended, and the related notes to the consolidated financial statements.
We do not express an opinion on the accompanying consolidated financial statements of the Department as of
and for the year ended September 30, 2022. Because of the significance of the matter described in the Basis
for Disclaimer of Opinion section of our report, we have not been able to obtain sufficient appropriate audit
evidence to provide a basis for an audit opinion on the fiscal year 2022 consolidated financial statements.
Opinion on Fiscal Year 2021 Consolidated Financial Statements
We have audited the consolidated financial statements of the Department, which comprise the consolidated
balance sheet as of September 30, 2021, and the related consolidated statements of net cost and changes in
net position, and combined statement of budgetary resources for the year then ended, and the related notes to
the consolidated financial statements.
In our opinion, the accompanying consolidated financial statements present fairly, in all material respects, the
financial position of the Department as of September 30, 2021, and its net cost, changes in net position, and
budgetary resources for the year then ended in accordance with U.S. generally accepted accounting principles.
Basis for Disclaimer of Opinion on Fiscal Year 2022 Consolidated Financial Statements
During fiscal year 2022, the Department announced broad-based debt relief for certain of its student loan
borrowers under the Direct Loan and Federal Family Education Loan (FFEL) programs. Management estimated
the subsidy costs stemming from the broad-based debt relief as of September 30, 2022. However,
management was unable to provide adequate evidential matter to support certain key assumptions used to
estimate the subsidy costs. As a result of this matter, we were unable to determine whether any adjustments to
the balance sheet might have been necessary with respect to the fiscal year 2022 Loans Receivable, Net –
Liabilities; the related balances in the consolidated statements of net cost and changes in net position; and
related notes to the consolidated financial statements.
Basis for Opinion on Fiscal Year 2021 Consolidated Financial Statements
We conducted our audit of the fiscal year 2021 consolidated financial statements in accordance with auditing
standards generally accepted in the United States of America (GAAS), the standards applicable to financial
KPMG LLP
Suite 12000
1801 K Street, NW
Washington, DC 20006
KPMG LLP, a Delaware limited liability partnership and a member firm of
the KPMG global organization of independent member firms affiliated with
KPMG International Limited, a private English company limited by guarantee.
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
107
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
2
audits contained in Government Auditing Standards, issued by the Comptroller General of the United States,
and Office of Management and Budget (OMB) Bulletin No. 22-01, Audit Requirements for Federal Financial
Statements. Our responsibilities under those standards and OMB Bulletin No. 22-01 are further described in the
Auditors’ Responsibilities for the Audit of the Consolidated Financial Statements section of our report. We are
required to be independent of the Department and to meet our other ethical responsibilities, in accordance with
the relevant ethical requirements relating to our audit. We believe that the audit evidence we have obtained is
sufficient and appropriate to provide a basis for our audit opinion on the fiscal year 2021 consolidated financial
statements.
Other Matter - Interactive Data
Management has elected to reference to information on websites or other forms of interactive data outside the
fiscal year 2022 Agency Financial Report to provide additional information for the users of its consolidated
financial statements. Such information is not a required part of the consolidated financial statements or
supplementary information required by the Federal Accounting Standards Advisory Board. The information on
these websites or the other interactive data has not been subjected to any of our auditing procedures, and
accordingly we do not express an opinion or provide any assurance on it.
Responsibilities of Management for the Consolidated Financial Statements
Management is responsible for the preparation and fair presentation of the consolidated financial statements in
accordance with U.S. generally accepted accounting principles, and for the design, implementation, and
maintenance of internal control relevant to the preparation and fair presentation of consolidated financial
statements that are free from material misstatement, whether due to fraud or error.
Auditors’ Responsibilities for the Audit of the Consolidated Financial Statements
Our objectives are to obtain reasonable assurance about whether the consolidated financial statements as a
whole are free from material misstatement, whether due to fraud or error, and to issue an auditors’ report that
includes our opinion. Reasonable assurance is a high level of assurance but is not absolute assurance and
therefore is not a guarantee that an audit conducted in accordance with GAAS, Government Auditing
Standards, and OMB Bulletin No. 22-01 will always detect a material misstatement when it exists. The risk of
not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud
may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control.
Misstatements are considered material if there is a substantial likelihood that, individually or in the aggregate,
they would influence the judgment made by a reasonable user based on the consolidated financial statements.
Except as explained in the Basis for Disclaimer of Opinion paragraph, in performing an audit in accordance with
GAAS, Government Auditing Standards, and OMB Bulletin No. 22-01, we:
• Exercise professional judgment and maintain professional skepticism throughout the audit.
• Identify and assess the risks of material misstatement of the consolidated financial statements, whether
due to fraud or error, and design and perform audit procedures responsive to those risks. Such procedures
include examining, on a test basis, evidence regarding the amounts and disclosures in the consolidated
financial statements.
• Obtain an understanding of internal control relevant to the audit in order to design audit procedures that are
appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of
the Department’s internal control. Accordingly, no such opinion is expressed.
• Evaluate the appropriateness of accounting policies used and the reasonableness of significant accounting
estimates made by management, as well as evaluate the overall presentation of the consolidated financial
statements.
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
108
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
3
We are required to communicate with those charged with governance regarding, among other matters, the
planned scope and timing of the audit, significant audit findings, and certain internal control related matters that
we identified during the audit.
Required Supplementary Information
U.S. generally accepted accounting principles require that the information in the Management’s Discussion and
Analysis and Required Supplementary Information sections be presented to supplement the basic consolidated
financial statements. Such information is the responsibility of management and, although not a part of the basic
consolidated financial statements, is required by the Federal Accounting Standards Advisory Board who
considers it to be an essential part of financial reporting for placing the basic consolidated financial statements
in an appropriate operational, economic, or historical context. We were unable to apply certain limited
procedures to the required supplementary information as of and for the year ended September 30, 2022 in
accordance with GAAS because of the significance of the matter described in the Basis for Disclaimer of
Opinion paragraph. We do not express an opinion or provide any assurance on the information.
We have applied certain limited procedures to the required supplementary information as of and for the year
ended September 30, 2021 in accordance with GAAS, which consisted of inquiries of management about the
methods of preparing the information and comparing the information for consistency with management’s
responses to our inquiries, the basic consolidated financial statements, and other knowledge we obtained
during our audit of the fiscal year 2021 basic consolidated financial statements. We do not express an opinion
or provide any assurance on the information because the limited procedures do not provide us with sufficient
evidence to express an opinion or provide any assurance.
Report on Internal Control Over Financial Reporting
In connection with our engagement to audit the Department’s consolidated financial statements as of and for
the year ended September 30, 2022, we considered the Department’s internal control over financial reporting
(internal control) as a basis for designing audit procedures that are appropriate in the circumstances for the
purpose of expressing an opinion on the consolidated financial statements, but not for the purpose of
expressing an opinion on the effectiveness of the Department’s internal control. Accordingly, we do not express
an opinion on the effectiveness of the Department’s internal control. We did not test all internal controls relevant
to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982.
Our consideration of internal control was for the limited purpose described in the preceding paragraph and was
not designed to identify all deficiencies in internal control that might be material weaknesses or significant
deficiencies and therefore, material weaknesses or significant deficiencies may exist that were not identified.
However, as described in the accompanying Exhibits, we identified certain deficiencies in internal control that
we consider to be a material weakness and significant deficiencies.
A deficiency in internal control exists when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent, or detect and correct,
misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in
internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial
statements will not be prevented, or detected and corrected, on a timely basis. We consider the deficiencies
described in the accompanying Exhibit A, Controls over the Relevance and Reliability of Underlying Data Used
in Credit Reform Estimates Need Improvement, to be a material weakness.
The Department management did not report the material weakness in its Statement of Assurance, included in
the Management’s Discussion and Analysis section of the accompanying Agency Financial Report.
A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe
than a material weakness, yet important enough to merit attention by those charged with governance. We
consider the deficiencies described in the accompanying Exhibit B, Information Technology Controls Need
Improvement and Entity Level Controls Need Improvement, to be significant deficiencies.
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
109
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
4
Report on Compliance and Other Matters
In connection with our engagement to audit the Department’s consolidated financial statements as of and for
the year ended September 30, 2022, we performed tests of its compliance with certain provisions of laws,
regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect
on the consolidated financial statements. However, providing an opinion on compliance with those provisions
was not an objective of our engagement, and accordingly, we do not express such an opinion. The results of
our tests disclosed no instances of noncompliance or other matters that are required to be reported under
Government Auditing Standards or OMB Bulletin No. 22-01.
We also performed tests of the Department’s compliance with certain provisions referred to in Section 803(a) of
the Federal Financial Management Improvement Act of 1996 (FFMIA). Providing an opinion on compliance with
FFMIA was not an objective of our engagement, and accordingly, we do not express such an opinion. The
results of our tests disclosed no instances in which the Department’s financial management systems did not
substantially comply with the (1) Federal financial management systems requirements, (2) applicable Federal
accounting standards, and (3) the United States Government Standard General Ledger at the transaction level.
Additionally, if the scope of our work had been sufficient to enable us to express an opinion on the consolidated
financial statements, instances of noncompliance or other matters may have been identified and reported
herein.
Department’s Response to Findings
Government Auditing Standards requires the auditor to perform limited procedures on the Department's
response to the findings identified in our engagement and described in Exhibit C. The Department’s response
was not subjected to the other auditing procedures applied in the engagement to audit the consolidated
financial statements and, accordingly, we express no opinion on the response.
Our response to the Department’s response is included in Exhibit D.
Purpose of the Reporting Required by Government Auditing Standards
The purpose of the communication described in the Report on Internal Control Over Financial Reporting and
the Report on Compliance and Other Matters sections is solely to describe the scope of our testing of internal
control and compliance and the results of that testing, and not to provide an opinion on the effectiveness of the
Department’s internal control or compliance. Accordingly, this communication is not suitable for any other
purpose.
Washington, D.C.
January 23, 2023
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
110
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
A-1
Exhibit A
Material Weakness
Controls over the Relevance and Reliability of Underlying Data Used in Credit Reform Estimates Need
Improvement
Background:
The material weakness under this section is related to the Department’s Direct and FFEL student loan
portfolios.
The Department is required to perform interest rate and technical re-estimates (commonly referred to as
estimates) of the subsidy costs of its direct loan and guaranty programs as of September 30 every year.
During fiscal year 2022, the Department announced changes to its student loan programs, including broad-
based debt relief for borrowers meeting certain criteria (eligible borrowers). Management estimated the subsidy
costs stemming from the broad-based debt relief as of September 30, 2022. Management’s estimate used data
and assumptions related to a take-up rate, among other assumptions. The take-up rate assumption represents
how many eligible borrowers are expected to apply for debt-relief, hence considered a key assumption for
estimating the impact of broad-based debt relief on the financial statements. This assumption is used as an
input in the Income Driven Repayment (IDR), Collections, and Death, Disability & Bankruptcy (DD&B)
assumptions.
These assumptions are included in the estimates calculated using the Department’s internally developed cash
flow model, the Student Loan Model (SLM). The SLM utilizes assumptions based on internally sourced data
elements from Information Technology systems to generate future cash flows. These future cash flows are then
input into the format required by the Office of Management and Budget (OMB) Credit Subsidy Calculator
(CSC), a required present value discount tool for agencies with credit reform programs, to produce the subsidy
cost estimate.
Condition:
Management's internal controls were not properly designed at an appropriate level of precision to address the
relevance and reliability of the underlying data used to develop the take-up rate assumption used in the various
loan program estimates. In addition, management did not design sufficiently precise controls over the relevance
and reliability of certain data used in other key assumptions for the SLM cash flow model to develop the
subsidy cost estimates.
Cause/Effect:
Management’s risk assessment process was not sufficient to identify the relevance and reliability of the
underlying data used in significant assumptions for the estimates, including the take-up rate assumption, as a
risk that required additional controls. As a result, the documentation over the subsidy cost estimates in the
financial statements was not supportive to evidence the estimate calculations. Inadequate controls over the
relevance and reliability of the underlying data used to develop the estimate calculations increases the risk that
the financial statements could be materially misstated.
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
111
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
A-2
Criteria:
The following criteria were considered in the evaluation of the material weakness presented in this exhibit:
• The Standards for Internal Control in the Federal Government issued by the Comptroller General of the
United States (the Green Book), Principle No. 6, Management should define objectives clearly to enable
the identification of risks and define risk tolerances; Principle No. 10, Design Control Activities; Principle No.
13, Use Quality Information.
• FASAB Technical Release No. 6, Preparing Estimates for Direct Loan and Loan Guarantee Subsidies
under the Federal Credit Reform Act – Amendments to Technical Release No. 3 Preparing and Auditing
Direct Loan and Loan Guarantee Subsidies under the Federal Credit Reforms Act, Paragraph 20.
Recommendation:
We recommend that management:
1. Design and implement controls that require the validation of the relevance and reliability of underlying data
used in developing the assumptions related to the subsidy cost estimates. Such review should be
documented and maintained.
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
112
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
B-1
Exhibit B
Significant Deficiencies
A. Information Technology Controls Need Improvement
The following control deficiencies in the areas of Information Technology (IT) logical access, security
management, segregation of IT duties, application change management, and computer operations are related
to both the Department and Federal Student Aid (FSA) systems.
Conditions:
In prior years, we reported a significant deficiency related to the Department and FSA’s IT controls due to
persistent unmitigated IT control deficiencies. During FY 2022, the FSA management demonstrated progress
implementing corrective actions to remediate some prior-year deficiencies, such as oversight of service
organization controls. However, the Department management and FSA management have not fully remediated
prior-year deficiencies related to logical access administration, separated and transferred user access removal,
user access reviews and recertification, and configuration management. New and existing IT control
deficiencies related to security management, access controls, segregation of IT duties, application change
management, and computer operations for the Department’s core financial management system, three of
FSA’s financial and mixed systems, and two access management support systems are as follows:
Department:
1. Weakness in IT logical access controls: New and separated contractors were not consistently and
accurately tracked including inconsistent reporting of start and termination dates. Further, the account
controls were not consistently followed for the Department’s core financial management system.
Specifically:
a. documentation supporting the completed security awareness training for new and modified users could
not be provided;
b. evidence supporting complete and accurate access reviews and recertifications was not provided or
retained;
c. password controls were not designed to meet the Department’s requirements; and
d. the Department’s requirement for the use and monitoring of generic and shared accounts was not met
for all accounts.
2. Weakness in IT application change management and patch management controls: The application change
management and patch management policies and processes were not consistently followed for the
Department’s core financial management system in accordance with Department policy. The Department
was unable to provide sufficient evidence supporting tracking, security assessment, and approval for
certain application changes and patches.
3. Weakness in IT computer operations controls: Changes to the job processing tool and schedules were not
centrally tracked and were made directly in production. Finally, the use and monitoring of generic and
shared accounts for the job scheduling tool did not follow the Department’s requirements.
FSA:
1. Weakness in IT security management controls: Plan of Action and Milestone (POA&M) closure
documentation for FSA systems did not always address the root cause of the deficiencies, thereby
increasing the potential of IT control deficiencies reoccurring in the future.
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
113
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
B-2
2. Weakness in IT logical access controls: The access control processes were not consistently followed for
three FSA systems and two access control support systems. Evidence supporting complete and accurate
access listings and evidence supporting new, modified, or separated users could not be provided or was
provided with missing required information and/or approvals; evidence supporting complete and accurate
access reviews and recertifications was not provided or retained; and the Department’s requirement for
two-factor authentication was not met for all internal system users.
3. Weaknesses in IT controls related to the segregation of IT duties: For one FSA system, users with
developer access had access greater than read-only to the system’s production environment or update
access to the production and development environments.
4. Weakness in IT application change management controls: The application change management process
was not consistently followed for one FSA system. FSA was unable to provide a complete and accurate
population of application changes. Also, documentation for a selection of changes contained inaccuracies
in recorded testing and migration dates.
Cause/Effect:
There was a lack of effective monitoring controls by the Department and FSA to ensure:
1. Corrective actions to remediate prior-year conditions and associated causes are fully implemented, as well
as verifying and validating that these corrective actions were effectively addressing the weakness with
adequately documented supporting evidence.
2. Systems and support processes consistently adhered to documented agency-wide policies and procedures
for the financial and mixed systems hosted and managed by FSA and the Department.
3. The established logical access control process is followed and requests and related evidence for new,
modified, or separated users were retained, documented completely and accurately, and approved.
4. Complete and accurate access reviews are performed to detect and mitigate the risk of unauthorized
accounts, access that is not commensurate with job responsibilities or least privilege, and access
permissions not being revoked timely.
5. Password controls are designed to meet the Department’s requirements.
6. The requirements for the use and monitoring of generic and shared accounts controls are followed and
enforced.
7. Segregation of duties and least privilege principles are followed and enforced.
8. The established change process and patch management process are followed.
9. The established process for job processing changes is followed and the requirements for the use and
monitoring of generic/shared accounts controls for the job scheduling tool are followed and enforced.
10. The established computer operations process detects and/or prevents unauthorized changes to the job
processing tool and schedules within the core financial system environment.
Ineffective IT controls increases the risk of unauthorized use, disclosure, disruption, modification, or destruction
of information, and information systems that could impact the integrity and reliability of information processed in
the associated applications which may lead to misstatements of the financial statements.
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
114
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
B-3
Criteria:
The following criteria were considered in the evaluation of the significant deficiency presented in this exhibit:
• The Departmental Directive OCIO 3-112, Cybersecurity Policy.
• Department Information Technology (IT) System Access Control Standard.
• EDCAPS System Security Plan (SSP) control requirements.
• EDCAPS Configuration Management Plan (CMP).
• Department Information Technology System and Information Integrity (SI) standard policy section 2.2
control SI-2, Flaw Remediation.
• EDCAPS Patch Management Plan, section 4.7 Patch Maintenance.
• Department Baseline Cybersecurity Standard, OCIO-STND-01, dated September 23, 2021, Section 3.15,
Acceptable Use.
• The Standards for Internal Control in the Federal Government issued by the Comptroller General of the
United States (the Green Book), Principle No. 3.08 Assignment of Responsibility and Delegation of
Authority, Principle No. 4, Demonstrate Commitment to Competence, Principle No. 7, Identify, Analyze, and
Respond to Risks, Principle No. 8.07 Response to Fraud Risks, Principle No.10.03, Design of Appropriate
Types of Control Activities, Principle No.10.12 Segregation of Duties, Principle No. 10.3 Design of
Appropriate Types of Control Activities, Principle No. 11, Design Activities for the Information System,
Principle No. 13, Use Quality Information, Principle No.16, Perform Monitoring Activities.
• Federal Information Processing Standards (FIPS) 200, Minimum Security Requirements for Federal
Information and Information Systems.
• National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls
for Federal Information Systems and Organizations, Revision 5, specifically security control requirements
PM-4 Plan of Action and Milestone, AC-2 Account Management, AC-5 Separation of Duties, AC-6 Least
Privilege, AT-3 Role-based Training, AT-4 Training records, CM-3 Configuration Change Control, and SI-2
Flaw Remediation.
Recommendations:
We recommend that the Department:
1. Evaluate, develop, and implement a formal process to track and report all new and separated contractors.
2. Ensure separated contractors are off-boarded and system personnel are notified in a timely manner to
disable or remove access to IT resources.
3. Provide training and oversight to the Department’s personnel with on/off-boarding responsibilities to help
ensure new/separated contractors are properly tracked.
4. Update access review procedures to require the reviewers to verify the access lists received to be used in
the performance of the access reviews is complete and accurate and not modified prior to commencing the
access reviews.
5. Identify and implement a process for the reviewer to validate the population generated for review is
complete and accurate.
6. Enforce established access authorization controls and ensure all requirements are met prior to granting
system access.
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
115
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
B-4
7. Formally perform and document the periodic reviews of all database user accounts in accordance with
Department policy to confirm access is current, authorized, and commensurate with job responsibilities.
8. Ensure the application and database server access reviews include the verification of access privileges
assigned to the user accounts are commensurate with job responsibilities and follow the concept of least
privilege.
9. Ensure the database and server layers comply with the disabling of inactive accounts and account lockout
duration password setting requirements, as required by Department policy.
10. Adhere to the SSP control requirements and avoid the use of generic and shared accounts. If generic and
shared accounts are required, obtain a formal risk acceptance and develop a policy and procedure to:
• Authorize the use of these accounts by approved personnel,
• Control who can access the generic/shared accounts and those sensitive actions performed by the
accounts are logged and reviewed every time the accounts are used, and
• Require that generic/shared accounts’ passwords are changed each time approved personnel separate
or transfer from the Department.
We recommend that FSA:
11. Implement a process to evaluate the magnitude of impact, likelihood of occurrence, and nature of the
deficiency in order to tailor the corrective actions to remediate the risk and address the root cause. Further,
update guidance to ensure that quality reviews over the POA&M closure documentation are conducted to
confirm the noted deficiencies are fully addressed to help prevent future reoccurrences.
12. Formally develop and implement a quality control review process to ensure that logical access control
processes are followed completely and accurately to validate logical access requests, reviews, and
recertifications.
13. Ensure segregation of duties and least privilege principles are adhered to when granting user access to
prevent users from having the ability to develop and/or change application code and having update access
to the environment where the final tested and approved changes are staged prior to migration to the
production environment; and prevent users with access to develop code from having update access to the
production environment.
14. Evaluate and update the access review control process based on risk and enforce segregation of duties.
15. Reconcile the list of users’ roles and responsibilities per the identity and access software tools to the lists
that reside in each system accessed by such users.
16. Update access review procedures to require the reviewer to verify the access list, received to be used in
the performance of the access reviews, is complete and accurate and not modified prior to commencing the
access reviews.
17. Enforce established access authorization controls and ensure all requirements are met prior to granting
access to systems.
18. Ensure a complete and accurate population of application changes is provided. Formally develop and
implement a quality control review process to ensure that the application change control process is
followed and consistently and accurately documented.
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
116
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
B-5
B. Entity Level Controls Need Improvement
The Department and FSA are continually seeking ways to improve accountability in achieving the entity’s
mission. A key factor in improving accountability in achieving an entity’s mission is to implement an effective
internal control system. The control environment sets the tone of an organization by influencing the control
consciousness of its personnel. It is also the foundation for all components of internal control, providing
discipline and structure. The Department and FSA need to address weaknesses in its entity-wide control
environment as we have observed, through our procedures, two entity-wide control environment conditions in
the areas of risk assessment and monitoring activities that have a pervasive influence on the effectiveness of
controls.
Conditions:
1. Risk Assessment- The Department and FSA’s entity level controls were not designed and implemented
appropriately in order to define objectives related to the financial reporting process to enable the
identification of risks, define risk tolerances and identified processes and controls responsive to those risks.
2. Monitoring Activities- The Department and FSA’s entity level controls were not designed and implemented
appropriately in order to remediate identified internal control deficiencies in a timely manner.
Cause/Effect:
1) Risk assessment considerations address the risks facing the entity as it seeks to achieve its objectives.
This assessment provides the basis for developing appropriate risk responses. Specifically, inadequate risk
assessment throughout the Department and FSA, prevented the proper identification and analysis of
certain risks related to the financial reporting process at the Department and FSA, and from designing
appropriate risk responses.
2) Monitoring activities considerations address management’s processes to establish and implement
operations that assess the quality of performance over time and promptly resolve the findings of audits and
other reviews. Specifically, insufficient monitoring has prevented the Department and FSA from ensuring
that corrective action plans are implemented, and control deficiencies are remediated timely.
The conditions noted above contributed to the control deficiencies described earlier in the report and could lead
to other weaknesses in internal control over financial reporting.
Criteria:
The following criteria were considered in the evaluation of the significant deficiency presented in this Exhibit:
• GAO Standards for Internal Control in the Federal Government (Green Book) Principle 6, Management
should define objectives clearly to enable the identification of risks and define risk tolerances.
• GAO Standards for Internal Control in the Federal Government (Green Book) Principle 17, Management
should remediate identified internal control deficiencies on a timely basis.
Recommendations:
We recommend that management implement the following to improve the effectiveness of entity-level controls:
1. Improve the risk assessment process at the financial statement assertion level and at the process level to
ensure the department is appropriately defining objectives to enable the identification of risks and define
risk tolerances.
2. Implement key monitoring controls to ensure that corrective action plans are implemented to timely
remediate control deficiencies identified. In addition, increase oversight, review, and accountability over the
process among various offices and directorates within the Department and FSA.
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
117
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
C-1
Exhibit C
Management’s Response
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
118
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
C-2
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
119
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
C-3
FY 2022 AGENCY FINANCIAL REPORT U.S. DEPARTMENT OF EDUCATION
120
FINANCIAL SECTION (FISCAL YEAR 2022 UNAUDITED)
D-1
Exhibit D
Auditors’ Response to Management’s Response
We acknowledge the Department’s response to our Independent Auditors’ Report, presented in Exhibit C and
noted that the Department partially concurred with the material weakness included in our report presented in
Exhibit A. We evaluated management’s response and have determined that the material weakness in internal
control over financial reporting is appropriate. As noted in Exhibit A, management’s controls were not designed
at a sufficient level of precision to address the relevance and reliability of the aforementioned data used in the
subsidy cost estimates.
