ࡱ> b jbjb hhv<<<$222P^2$2T82222278D9$,֊R(C<297@72929Cr:<<22Xr:r:r:29<2<2r:`$|<<29r:r:JH<<2 v\'29ՃBn0(r:(r:<d22UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL Evaluation and Inspection Services May 5, 2009 Memorandum TO: James Manning Acting Chief Operating Officer Federal Student Aid FROM: Wanda A. Scott /s/ Assistant Inspector General Evaluation, Inspection, and Management Services SUBJECT: Final Management Information Report Review of Federal Student Aids Enterprise Risk Management Program (ED-OIG/I13I0005) This final management information report presents the results of our review of Federal Student Aids (FSA) Enterprise Risk Management Program and FSAs response to those results. BACKGROUND In May 2006, FSA formally created the Enterprise Risk Management Group (ERMG). The ERMG is divided into two main areas: the Internal Review Division and the Risk Analysis and Reporting Division. The Internal Review Division is responsible for helping to ensure that an effective internal control framework is in place across the enterprise; however, it does not have any responsibilities related to the implementation of enterprise risk management. The Risk Analysis and Reporting Division is responsible for developing an enterprise risk management strategy and implementing an enterprise risk management program at FSA. The ERMG is headed by the Chief Risk Officer who reports to the General Manager of Enterprise Performance Management Services. According to FSAs Five-Year Plan for 2006-2010, the enterprise risk management function was intended to develop risk assessments and provide a more strategic view of future risks, and was designed to better equip senior management to anticipate, analyze, and manage risks inherent in the federal student financial assistance programs. FSAs enterprise risk management program is based on the Enterprise Risk Management Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO Framework). The COSO Framework defines enterprise risk management as a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. The COSO Framework consists of eight interrelated components that are derived from the way management runs an enterprise and are integrated with the management process. The components are described as follows: Internal Environment this component serves as the basis for enterprise risk management and is comprised of the entitys risk management philosophy; its risk appetite; the integrity, ethical values, and competence of the entitys employees; and the environment in which those employees operate. Objective Setting the entity ensures it has a process to set objectives and that the objectives support and are aligned with the entitys mission. Objective Setting is a precondition to Event Identification, Risk Assessment, and Risk Response. Event Identification the entity identifies internal and external events affecting the achievement of its objectives, and distinguishes between risks (negative impact) and opportunities (positive impact). Risk Assessment the entity analyzes identified risks, considering likelihood and impact, to determine how they should be managed. Risk Response the entity identifies and evaluates possible responses to risk, and selects a set of actions to align risks with the entitys risk tolerances and risk appetite. Control Activities the entity establishes and executes policies and procedures to help ensure that the risk responses are effectively carried out. Information and Communication the entity identifies, captures, and communicates relevant information throughout the entity in a clear form and timeframe that enables people to carry out their responsibilities. Monitoring the entire entity monitors itself through ongoing management activities and/or separate evaluations. According to the ERMG, enterprise risk management at FSA is a coordinated, culture-based approach to holistically addressing all of an organizations risks including operational, financial, strategic, compliance and reputational risks under one umbrella. The ERMG is implementing its COSO Framework-based enterprise risk management program in three phases. Phase I involves establishing the ERMG and committee, developing a strategy and methodology for implementation, obtaining contractor services, and communicating enterprise risk management information to FSAs executives. Phase II consists of formalizing the enterprise risk management strategy and project plan, adopting a risk framework, developing an enterprise risk management website, conducting a high-level risk assessment at FSA, developing a methodology for performing business unit risk assessments, developing a risk tracking system, and identifying, assessing, and inventorying risks for 25 percent of FSAs business units. These activities focus on the Event Identification and Risk Assessment components of the COSO Framework. Phase III involves identifying, assessing, and inventorying risks for the remaining 75 percent of the business units, creating enterprise level reports for senior management, documenting FSAs risk tolerances and appetites, and developing a methodology for fully implementing the remaining enterprise risk management components. The ERMGs project plan indicates that all phases will be complete by September 30, 2010. REVIEW RESULTS The objective of our inspection was to evaluate FSAs implementation of enterprise risk management. The ERMG has not fully addressed any of the COSO Frameworks eight components. The COSO Framework states that determining whether an enterprise risk management program is effective is a judgment resulting from an assessment of whether the eight components are present and functioning effectively. While it has developed plans and begun business unit activities related to three components (Objective Setting, Event Identification, and Risk Assessment), the plans for fully addressing the remaining five components at FSA (Internal Environment, Risk Response, Control Activities, Information and Communication, and Monitoring) have received limited attention. As a result, FSA has not implemented enterprise risk management. This report will present information on FSAs progress toward implementation as of December 2008. The Chief Risk Officer began working at FSA in June 2004. FSAs former Chief Operating Officer formally approved the ERMG in May 2006, nearly two years later. Prior to formal approval, the ERMG began conducting activities associated with Phase I of its program. After receiving formal approval, the ERMG officially started its enterprise risk management program and began strategic planning. The Chief Risk Officer and the Risk Analysis Team Leader informed us that FSA management also assigned them multiple high priority special projects, such as a regional workforce effectiveness study, conducted for approximately seven months, which limited the amount of time available to implement enterprise risk management. The ERMG completed Phase I of its program on December 30, 2006, and has nearly completed all activities associated with Phase II. The ERMG began work in FSAs business units in May 2007. As of December 2008, the ERMG has completed risk identification, aggregate risk assessment, and inventory activities for 3 of 26 business units. As part of these initial business unit activities the ERMG also aligned each business units goals and objectives with FSAs strategic objectives. These three business units are: Communications, Reporting, and Analysis; Facilities, Security, and Emergency Management Services; and Workforce Development Services. The ERMG has nearly completed risk identification in two other business units: Conferences and Administration Services; and Human Resources and Workforce Services. The ERMG has initiated work in three more business units: Strategic Planning; Financial Management; and Budget. None of FSAs business units directly responsible for administering the federal student aid programs have been examined or included in ERMGs business unit activities to date. The Chief Risk Officer anticipates that the ERMG will have risks documented in all 26 business units by the end of calendar year 2009, and has hired a contractor to help accomplish this task within this timeframe. In addition, as a training tool for new risk analysts, the ERMG is planning a review of the Enterprise Risk Management business unit. After risk identification, aggregate risk assessment, and inventory activities have been completed for all business units, the ERMG plans to return to each business unit to identify the risk responses and assess the amount of residual risk given the control activities in place. According to the ERMGs project plan, the end date for these activities is September 30, 2010. The ERMG does not have a formal methodology in place for identifying risk responses and assessing the amount of residual risk. The business unit risk activities thus far have concentrated on Event Identification and Risk Assessment at the aggregate level. The ERMG has also given attention to the Objective Setting component at the FSA-wide level and as part of each business unit review. The Chief Risk Officer said that the Risk Assessment component is more straightforward than the Internal Environment and Objective Setting components of the COSO Framework. The ERMG has not focused on the Internal Environment component, including defining FSAs risk appetite and risk philosophy, nor has it begun to conduct activities specifically related to the Risk Response, Control Activities, Information and Communication, and Monitoring components. The ERMGs limited attention to the Internal Environment component is noteworthy given the importance placed on it throughout the COSO Framework and in the ERMGs own definition. The COSO Framework states that the Internal Environment sets the basis for how risk and control are viewed and addressed by an entitys people. The ERMGs definition of the Internal Environment, based on the COSO Frameworks description of that component, states that the Internal Environment is the tone of an organization, influencing the risk consciousness of its people, and is the basis for all other components of risk management. According to the ERMGs definition, Internal Environment elements include an entity's risk management philosophy; its risk appetite; the integrity, ethical values, and competence of the entity's people; and the way management assigns authority and responsibility. The COSO Framework states that the effectiveness of enterprise risk management cannot rise above the integrity and ethical values of the people who create, administer, and monitor entity activities. While both the COSO Framework and the ERMG, as expressed in its definition, agree that the Internal Environment serves as a basis for all other components of enterprise risk management, the ERMGs work has not addressed the specific elements of the Internal Environment. The ERMG has not ensured that FSA has a defined risk management philosophy or risk appetite. Additionally, the ERMG has not given attention to existing information on FSAs Internal Environment such as FSA-wide surveys indicating that there are perceptions on the part of FSA staff concerning a lack of integrity, ethical values and commitment to competence from FSA leadership or Office of Inspector General audits that have also found issues with FSAs Internal Environment. The COSO Framework emphasizes that the negative impact of an ineffectual Internal Environment can be far-reaching. FSA COMMENTS On March 17, 2009, we provided FSA with a copy of our draft management information report for comment. We received FSAs comments to the report on April 14, 2009. FSA did not take issue with any of the factual information presented in the report, but did have comments on the way in which the information was presented. We have summarized FSAs concerns and provided our responses below. FSAs response, in its entirety, is attached. FSA Comment FSA stated that we did not elaborate on what is meant by the statement in the report that ERMG has not fully addressed any of the COSO Frameworks eight components, and that this implies that the ERMGs efforts relating to the eight components of COSO are in some way deficient. FSA also stated that OIGs assertion that FSA has not implemented enterprise risk management is somewhat misleading because it states the obvious and could undermine the ERMGs efforts because many of the benefits associated with enterprise risk management can be and are realized prior to the full implementation. OIG Response The statement that the ERMG has not fully addressed any of the COSO Frameworks eight components is a conclusion based on a review of the ERMGs activities thus far. The Review Results section of the report fully explains the status of each of the eight components. For example, on page 3 we explained that the ERMG has developed plans and begun activities related to three components and that the plans for fully addressing the remaining five components have received limited attention. On page 4 we noted that none of FSAs business units directly responsible for administering the federal student aid programs have been examined or included in ERMGs business unit activities to date. The statement that FSA has not implemented enterprise risk management is also a conclusion in answer to our objective and is supported by all of the facts presented in our report. This conclusion is necessary for a full understanding of the current state of enterprise risk management at FSA. To the extent that FSA management recognizes value in the efforts of the ERMG, the facts presented in our report should not undermine the work of the ERMG. We note that in its response, FSA did not provide any specific benefits that have been realized as a result of its enterprise risk management implementation efforts. FSA Comment FSA stated that while the business unit activities referred to in the report represent a significant part of FSAs enterprise risk management program, the ERMG conducted other activities between May 2007 and December 2008. FSA provided a list of activities the ERMG had conducted during this time. FSA stated that OIGs failure to recognize these activities in the Review Results section of the report could present an unbalanced view of the status of FSAs enterprise risk management program and associated implementation efforts. OIG Response OIG did not recognize all of the ERMGs activities in the Review Results section. In the Background section of our report, we noted that Phase I of FSAs enterprise risk management program included obtaining contractor services, and communicating enterprise risk management information to FSA executives and Phase II included conducting a high-level risk assessment and developing a risk tracking system. In the Review Results section of our report, we stated that the ERMG had completed Phase I of its program and had nearly completed all activities associated with Phase II. The report did not discuss the development of tools, resources, policies, procedures, and process documents to guide and support the program because they are typical activities when starting new programs and are not unique to the implementation of enterprise risk management at FSA. The report is not designed to be a catalog of all the activities conducted by the ERMG since its inception, but rather to explain the current state of enterprise risk management at FSA. FSA Comment FSA stated that it disagrees with the characterization that it has devoted limited attention to the Internal Environment component and stated that it has performed or is in the process of performing significant efforts relating to FSAs internal environment. The specific example that FSA provided was the high-level risk assessment performed under a purchase agreement with Grant Thornton LLP which, according to FSA, provided a high-level baseline review and documentation of FSAs internal environment. OIG Response We reviewed Grant Thorntons high-level risk assessment and the associated purchase order during the course of our fieldwork. We found that a review of FSAs internal environment was not the primary purpose of the work as it was not mentioned in the task order and was not included in the initial draft report provided to FSA. In fact, the Risk Analysis Team Leader, who also served as the Contracting Officers Representative for the purchase order, told us during our fieldwork that the internal environment section was not very involved. When discussing the assessment, the Chief Risk Officer said that he wanted the contractor to do a quick review of the internal environment so the ERMG could check off that it had been completed. The listing of documents reviewed by Grant Thornton, found in Appendix B of its final report, does not contain OIG reports or FSA-wide employee surveys. At the time of Grant Thorntons work, OIG had completed audits that identified significant internal control weaknesses at FSA. Additionally, there were employee survey results suggesting a concern among FSA staff about a lack of integrity, ethical values and commitment to competence from FSA leadership. Because the high-level risk assessment is the only area in which the ERMG claims to have addressed Internal Environment on an enterprise-wide level and based on the weaknesses related to the report noted above, we concluded that the ERMG has given limited attention to the Internal Environment component. FSA Comment FSA stated that it believes the ERMG efforts related to the Internal Environment component are substantial; however, it stated that it did not intend to audit or opine on the strength or effectiveness of this component. FSA further stated that to do so would be premature and offer little or no added value. OIG Response We stand by our conclusion that the ERMGs efforts related to the Internal Environment component are limited. The ERMG defines the Internal Environment component as the tone of an organization, influencing the risk consciousness of its people, and is the basis for all other components of risk management. [Emphasis added.] According to the ERMG definition, Internal Environment elements include an entitys risk management philosophy; its risk appetite; the integrity, ethical values, and competence of the entitys people; and the way management assigns authority and responsibility. As we stated in our report, [t]he ERMG has not ensured that FSA has a defined risk management philosophy or risk appetite. Additionally, the ERMG has not given attention to existing information on FSAs Internal Environment such as FSA-wide surveys indicating that there are perceptions on the part of FSA staff concerning a lack of integrity, ethical values and commitment to competence from FSA leadership. The COSO Framework states that the effectiveness of enterprise risk management cannot rise above the integrity and ethical values of the people who create, administer, and monitor entity activities. The ERMGs efforts related to the Internal Environment component are not substantial due to the fact that the ERMG has not addressed the specific elements of the component. The fact that FSA believes that determining the strength or effectiveness of this component would be premature and offer little or no added value is contradictory to the importance placed on it in the COSO Framework and by the ERMGs own definition. OBJECTIVE, SCOPE, AND METHODOLOGY The objective of our inspection was to evaluate FSAs implementation of Enterprise Risk Management. We began our fieldwork on July 17, 2008 and conducted an exit conference on February 10, 2009. The scope of our review included the ERMGs implementation activities at FSA from the hiring of the Chief Risk Officer in June 2004 to December 2008. We reviewed COSOs Enterprise Risk Management Integrated Framework. To evaluate FSAs implementation of enterprise risk management, we reviewed the ERMGs Strategic Plan, Project Plan, methodology for conducting business unit risk activities, risk categories, risk ratings, risk heat map, risk terminology, and listing of special projects. We also reviewed seven of the ERMGs PowerPoint presentations and documents related to Business Unit Risk Activities in five business units, including summary reports for three of those business units. We reviewed documents associated with both of the ERMGs purchase agreements for enterprise risk management support services, ED-06-AG-0039 with Grant Thornton and ED-08-AG-0003 with ADI Consulting, including the High-Level Risk Assessment created by Grant Thornton under Task Order 1 of their purchase agreement. We also interviewed FSA staff in the ERMG. Our inspection was performed in accordance with the 2005 Presidents Council on Integrity and Efficiency Quality Standards for Inspections appropriate to the scope of the inspection described above. ADMINISTRATIVE MATTERS In accordance with the Freedom of Information Act (5 U.S.C. 552), reports issued by the Office of Inspector General are available to members of the press and general public to the extent information contained therein is not subject to exemptions in the Act. Electronic cc: Linda Hall, Acting General Manager, Enterprise Performance Management Services Stan Dore, Chief Risk Officer Marge White, Director, Internal Review Division Cynthia Vitters, Team Leader, Risk Analysis Team  April 10, 2009 Mr. W. Christian Vierling Director, Evaluation and Inspection Services U.S. Department of Education Office of Inspector General 550 12th Street, S.W., Room 8153 Washington, DC 20024 Dear Mr. Vierling: Thank you for providing us with an opportunity to respond to the Office of Inspector Generals (OIG) draft management information report entitled, Review of Federal Student Aids Enterprise Risk Management Program (Control Number ED-OIG/I13I0005). While we understand that since this report did not contain any recommendations for corrective action, no response is required, we appreciate the opportunity to address some of the information, comments and assertions contained therein. As noted in the background section of this management information report (MIR), Federal Student Aids Enterprise Risk Management Group (ERMG) was created in May 2006 to provide a more strategic view of risks at Federal Student Aid (FSA) and better enable senior management to identify, assess, manage and monitor those risks. In support of those objectives, ERMGs Risk Analysis & Reporting Division is leading the effort to implement an Enterprise Risk Management (ERM) Program at FSA. This effort, which is among the first of its kind in the federal government, represents a forward-looking and proactive approach to evaluating and managing risk, especially at the enterprise or strategic level. Since much of the focus of this inspection was centered on evaluating FSAs implementation of its ERM program against its adherence to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework, we feel compelled to respond to some assertions contained in the OIG Inspection report that we do not believe to fairly characterize the results of our effort to date. One such example of this is the statement that ERMG has not fully addressed any of the COSO Frameworks eight components. The report does not elaborate on what is meant by fully addressing the components, yet implies that ERMGs efforts relating to the eight components of COSO are in some way deficient. Page 2 - Mr. W. Christian Vierling FSA has chosen to adopt a framework, which is based on the ERM Integrated Framework issued in 2004 by COSO. Since the COSO Framework was developed primarily with public stockholder-owned corporations in mind, Federal Student Aid has spent considerable time evaluating and considering how to utilize various aspects of this Framework to be most applicable and beneficial to a federal entity. Federal Student Aid has made the decision to address all eight components in its ERM Program, Strategy, and/or Project Plan documents, which were provided to the OIG inspectors at the beginning of their fieldwork. At no point during the inspection did ERMG represent that all activities related to these components were complete and some are not yet even in process. However, we are not applying the COSO Framework in the exact manner or order described in the COSO guidance. The guidance in COSO all but mandates this approach. Specifically, COSO states: No two entities will, or should, apply enterprise risk management in the same way. Companies and their enterprise risk management capabilities and needs differ dramatically by industry and size, and by management philosophy and culture. Thus, while all entities should have each of the components in place and operating effectively, one companys application of enterprise risk management including the tools and techniques employed and the assignments of roles and responsibilities often will look very different from anothers. The implementation and execution of an effective ERM program is a multi-year effort that requires time, commitment, support and resources. Therefore, we believe that the OIGs assertion that FSA has not implemented enterprise risk management is somewhat misleading. Our concern is that since it merely states the obvious, it tends to undermine ERMGs efforts as this is not a realistic expectation or goal at this point in time. In fact, only a very small percentage of publicly traded companies have fully implemented ERM programs, despite having a significant head start over their government counterparts. Most ERM programs, like FSAs, are works-in-progress. Despite this, many of the benefits associated with ERM can be and are realized prior to the full implementation of ERM. FSAs ERM Program competes with other ERMG efforts including special projects, risk assessments and internal reviews. It was developed internally with extensive planning, analysis and research, which was a necessity as there is no governmental guidance directly related to ERM, or other federal ERM programs to model after. The ERM Program consists of various additional efforts beyond the business unit risk activities referred to in the OIGs report. While the business unit risk activities represent a significant part of FSAs ERM Program, numerous other activities were underway during the May 2007 through December 2008 time period referenced by this report. These activities include: Page 3 - Mr. W. Christian Vierling Conduct a high-level risk assessment to identify and assess FSAs strategic risks; Development and finalization of various risk resources and tools to guide and support the ERM Program; Development and implementation of an advanced risk tracking database; Training and presentations provided to internal business units, senior management and entities outside of Federal Student Aid; Conduct various activities required to acquire contractor support for the ERM effort; and Completion of various policies, procedures and/or process documents in support of FSAs ERM Program. We believe that failure to recognize these activities in the Review Results section of this report can present an unbalanced view of the status of FSAs ERM Program and associated implementation efforts. Considerable attention in this report also focuses on what OIG characterizes as ERMGs limited attention to the Internal Environment component of the COSO ERM Framework. We respectfully disagree with this characterization and maintain that significant efforts relating to FSAs Internal Environment have been performed or are in process. Prior to beginning the detailed risk activities currently underway, ERMG engaged an independent contractor, Grant Thornton, LLP (GT), to perform a high-level risk assessment at FSA. As part of that effort, GT also performed a high-level baseline review and documentation of FSAs Internal Environment as defined by the COSO ERM Framework. The results of that review were contained in the high-level risk report presented to executive management. At the same time, efforts to document and evaluate the Internal Environment at FSA continue as part of other activities associated with the implementation of FSAs ERM Program. We believe that the combined ERMG efforts discussed above and relating to the COSO Internal Environment component are substantial. Nonetheless, we appear to have fundamental differences with the OIG about the timing of activities associated with incorporating this component into FSAs framework. Although the baseline review and documentation of the Internal Environment were performed as planned, we did not intend as part of that effort to audit or opine on the strength or effectiveness of this COSO component. To do so, in our opinion, would be premature and offer little or no added value. Page 4 - Mr. W. Christian Vierling While efforts to implement an ERM Program at FSA are not free from challenges or mistakes, they do offer a unique opportunity to enhance the organizations risk management practices, understanding and culture. Our process of implementing an ERM Program is one of continuous enhancement, refinement and adoption of best practices. As such, we appreciate the chance to share our efforts and progress with the OIGs inspection team and hope to further improve FSAs ERM Program based on the feedback provided. Sincerely, /s/ James F. Manning Acting Chief Operating Officer  Risk appetite is defined as the amount of risk an entity is willing to accept in pursuit of its mission.  Risks within the COSO Framework are discussed in terms of inherent risk and residual risk. Inherent risk is defined by the COSO Framework as the risk to an entity in the absence of any actions management might take to alter the risks likelihood or impact. The ERMG uses a similar term, aggregate risk, which it defines as the total amount of exposure associated with a specified risk that does not include the effect of risk strategies, controls or other measures designed to mitigate the effect of the specified risk. Residual risk is defined by the COSO Framework and the ERMG as the risk that remains after action has been taken to alter the risks likelihood or impact.  Risk tolerances are defined by the COSO Framework as the acceptable levels of variation relative to the achievement of objectives. In other words, it is the amount of variation that an entity is willing to accept in pursuit of its goals and objectives.     The Department of Education's mission is to promote student achievement and preparation for global competitiveness by fostering educational excellence and ensuring equal access.  PAGE 12 &'CDp s{  }  z ( ) Ͽÿrkk^hphq5B*ph hX_hqh[Phq5B*ph hkQhqhhqB*phh.thqB*phh87hq5B*ph hq5\hqCJaJ hRhqhqhqB* CJaJphhqB* phhq5B* OJQJph4jhPnhq5B* OJQJUmHnHphu 'CD  $@ps9gdq ^`gdq^gdq gdq5gdq< gdqgdq$a$gdq|'* + VW+,UKS./45}+ & Fgdq & Fgdqgdq ,@UfK_(=>Se/`g1+,x}i!j!0s1u1v144444445 5$5;5\5a5d55555(6 h mhq hqCJ hq\ h6hq h$fhq hkQhq hX_hq h]%Ihqjhq0JUhdhq6hqhchq5B*phB+,;<3#4#$$%?%@%%%%%!&5&P&X&Y&g(h(_*`* & Fgdq & Fgdq & Fgdq9gdqgdq`*2-3-v1w144446669996>7>C>\@]@j@BBDDDFF gdq9gdqgdq(6+6u6666997>B>C>]@j@DDFFLLMMNOO"PQR3T4T5TTTUUU7UUUUUU>VIVaVcVpVVV W WxXyXYYY>YuYYh}#hq6 he+hqh hq6 *hq h@Shq *hKqhq h[hq h Qhq hb:hq h6hq h:hqhb:hq6h {hq6 hq6hq h mhq9FFIILLLMMMRR4T5TWTXTTTUUUU@YAYZ Z Z!Z9gdqgdq!Z$[%[[[[\\ \ \ \ \\\)\*\D\q\\\\ $]a$gdq]gdq$a$gdq gdq ^`gdq `^``gdqgdq 7$8$H$gdqY\\ \\\\\\||~||&''(*+-.013567hq0JmHnHu hq0Jjhq0JUh<hqB* CJaJphhqB* CJaJph hhqjhqUjhq0JU hqH* hulhq hq>*jhqUmHnHuhq"\\\\\^^aa[d\d]d^d_d`ddddff[j\jtmum-p.p`]^``gdq  !]gdq]gdq.p/p0p1p2pUpVpWpppqqYqZqqq4r5rrrksls5w6w ]^`gdq & F ]^`gdq]gdq6wyyyyyyyy{{{{{{{||||~|&&')*,gdq  ]gdq]gdq,-/023567 $h]ha$gdqh]h$a$gdqgdq10&P1hP:pq/ =!"#$%- 0&P1h:pq/ =!"#$%F?;bN|JFIF``C    $.' ",#(7),01444'9=82<.342C  2!!22222222222222222222222222222222222222222222222222UY" }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr $4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ?(fTRB$(j+{HL3 C@M`\$z\[` 'lHx?\[KlC$xV&7" ǸcIl?'=IG֛ }\_9xԭcu~ڍKׂ&*vW!H\PkmRC$1%{cqg cګ O%Krm\[ `VF drSFc}jWLYdK#2e$Pǩ{Vr&3:51R-9\'M=QX:vSXyd70əm|67q5Y8QE!rA~~ Lp ?O_\ÝNqX9Kn:%+ M6R pMUFY]IhH;(%ëqqeMRId'?.rGC4|;ǮY/ɕ˖PI$c>>Dѻ*]LKaE#73BFSt+hݪOfׇRVFˑ=ZiMkj]'leNps@:6Sh-acpA8ao ;E,.IHjkkBo ~@,̹;N7瞕zAiM%5V[( \>IF[KyEB(F.o'8%@*AfFpE}jLHH=ȥDaU::z ֡\][6a y;Qf=.nş0NI1$GNX"O{FZY\dؑ* |vbmě.nSdL ՚8bdpP 2qZxq:[u /!K|gDN=뢮oNRb6P_Kmde/1xO#=mLc*|Ws6OtMI=3ZM)&{@6p A+$q/`.=|EccN2h:F.5VMn$T~bH=0}1\e/nB<_z |/A(ӧkan\1G p<h5 B^N^R yhOU l t6t Vwr0C.$TCRnA0ڢHt$<.chCՓR 䊷.\kwN%Ӥ>PT0  JqV-Ŏ3:^XOq2KqAmNt;ڤVZ1ն8QT MTmd:,>{?,dIϩ{4]Cor]9u1l\Tn<す#ֵ[ԼY\Ac>yd.$"4jhkAV!*ZF`b0Kc#F*٫1竱9fI'񫵌H+,d總YlCyÌ㓀G#E *T4ULe!1lBNVnIl`n!Ec&RP&y==:dc{[*T^fDopNľ!&_e'?ă* }G#5{pڌ>3 fJ+BhP? [_^1oxćh|GNWS/WKQM PXt6)[13#i> gA Heading 1 $@&a$5\BB gA Heading 2 $@&a$ 5CJ\88 gA Heading 3$@&>*>> gA Heading 4$@& 5>*\:@: gA Heading 5$@&5\nn gA Heading 61$p@ 7$8$@&H$a$5B*\phNN gA Heading 7 $@&a$5>*B*CJ]phDD gA Heading 8$@&5B*\phP P gA Heading 9 $7$8$@&H$]^ 5>*\DA@D Default Paragraph FontRiR 0 Table Normal4 l4a (k( 0No List 0>0 gATitlea$5\<@< gAHeader !CJaJ6P6 gA Body Text 2]4B"4 gA Body Text5\>@2> gA Footnote TextCJaJ@&@A@ gAFootnote ReferenceH*B'@QB gAComment ReferenceCJaJ<b< CgA Comment TextCJaJ@Cr@ gABody Text Indent^h4 @4 gAFooter !.)@. gA Page Number<Q< gA Body Text 3 B*phJJ gA quotation5$7$8$9DH$]^aJbb gArecommendation(d 5$7$8$9DH$^`aJNRN gABody Text Indent 2^ B*phBB gAxl26dd[$\$OJPJQJ^JFF gAxl27dd[$\$a$OJPJQJ^JLTL gA Block Text 7$8$H$]^ B*phLJL gASubtitle!7$8$H$]5>*B*\phPPgATOC 1"$ ]^``5aJ mHnHuTTgATOC 2#$ ]^ `a$5aJmHnHu.. gATOC 3 $$ 22 gATOC 4 % (#** gATOC 5&^** gATOC 6'^** gATOC 7(^** gATOC 8)^** gATOC 9*^6U@6 gA Hyperlink >*B*phFV@F gAFollowedHyperlink >*B* phR^R gA Normal (Web)-dd[$\$OJPJQJ^J88 gAStyle 4.1$7$8$^FF gAStyle 6/d1$7$8$]H^`@@ gAStyle 20d1$7$8$`pa$:: gAStyle 311$7$8$]Ha$6"6 gAStyle 121$7$8$H$@2@ gAStyle 531$7$8$^ HSBH gABody Text Indent 3 4^`00OR0 gAletter5CJaJ88 gA Report Title6CJ$NN gA Finding Title7$$^p` 5CJ\RR gANumbered recommendation 8 FhOh gAReport Section!9$$N P a$5B*CJph00 gA TOC Header:HH gAEnclosure Title;a$ 5CJ \LOQL gAEnclosure Number <H$CJ0!0 gAStyle1=a$CJ66 gA RptSubcaption>DLD hLNDate ?^a$CJKHOJQJaJjj .t Table Grid7:V@0@HH / Balloon TextACJOJQJ^JaJ@jab@ DUComment SubjectB5\:O1: UComment Text Char@O2A@ BUComment Subject CharDRD870RevisionECJ_HaJmH sH tH  =zk      z3 "zzzzzzzz z z z zH*7DOV_^1jsz2mv   'CD  $@ps*+V W + , U K  S./45}+,;<34?@! 5 P X Y g"h"_$`$2'3'v+w+....0003336878C8\:]:j:<<>>>@@@CCFFFGGGLL4N5NWNXNNNOOOO@SAST T T!T$U%UUUUVV V V V VVV)V*VDVqVVVVVVVVXX[[[^\^]^^^_^`^^^^``[d\dtgug-j.j/j0j1j2jUjVjWjjjkkYkZkkk4l5lllkmlm5q6qssssssssuuuuuuuvvvv~v&y&z'z)z*z,z-z/z0z2z3z5z6z7zzzzzzY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$oY$o 0p 0p 0p0p0p0p90p0p0p0p0p0p0p 0p 0p 0p0p0p 0p 0p0p0p 0p 0p 0p0p0p0p0p0p0p0p0p0p0p0p90p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p90p0p0p0p0p0p0p0p0p0p0p0p90p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p 0p0p 0p0p 0p0p 0p0p 0p0p 0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0p0pYoYYoYoYo0p0p0p0pDX Zr 0pph@hЃrpYohЃrpYo0pphЃrpYo  (6YAEHK+`*F!Z\.p6w,BDFGIJLMNOC! #_,R$?;bN|!b<3 AA@ ^Z(   ] s A4?<.ED Letterhead Logo - BluePicture 2ED Letterhead Logo - Blue.jpgQSQS"? ^ c A4?<.ED Letterhead Logo - BlueED Letterhead Logo - Blue.jpgQSQS"?B S  ?H0(  Vz]Rng^^@W tm_1744831448 tm_1744830991 tm_1744831053 _Toc160261058 tm_1744831175 tm_1744831518 _Toc160261060 tm_1744831179 ,,-@5N>Sz O:I-FVN>SzU\]\vv'z'z)z)z*z*z,z-z/z0z2z3zzzzz!CCrP}Pvv'z'z)z)z*z*z,z-z/z0z2z3zzzzz333333~@&m NT*7Tf\CxQH-YR>bHAfдF?Oa}dԀ %*58BK*xb3n^o 4 ]kC6+];8jW?PB?}t&(@`]Ah`FKO Ih=L6zhM;;qePڤ^sePж2p GZ;H&c*3lhq`Tmzt ^`OJQJo(^`.pp^p`.@ @ ^@ `.^`.^`.^`.^`.PP^P`.8^8`o()^`. L^ `L. ^ `.x^x`.HL^H`L.^`.^`.L^`L. ^`OJQJo(^`OJQJ^Jo(o p^p`OJQJo( @ ^@ `OJQJo(^`OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o P^P`OJQJo( ^`OJQJo(^`OJQJ^Jo(o p^p`OJQJo( @ ^@ `OJQJo(^`OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o P^P`OJQJo( ^`OJQJo( ^`OJQJo(o pp^p`OJQJo( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o PP^P`OJQJo( ^`OJQJo(^`OJQJ^Jo(o p^p`OJQJo( @ ^@ `OJQJo(^`OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o P^P`OJQJo( ^`OJQJo(^`OJQJ^Jo(o p^p`OJQJo( @ ^@ `OJQJo(^`OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o P^P`OJQJo( ^`OJQJo(^`OJQJ^Jo(o p^p`OJQJo( @ ^@ `OJQJo(^`OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o P^P`OJQJo( ^`OJQJo( ^`OJQJo(o pp^p`OJQJo( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o PP^P`OJQJo(X^`Xo(5.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.0^`0o(0^`0o(.0^`0o(..0^`0o(... 88^8`o( .... 88^8`o( ..... `^``o( ...... `^``o(....... ^`o(........ ^`OJQJo(^`OJQJ^Jo(o p^p`OJQJo( @ ^@ `OJQJo(^`OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o P^P`OJQJo( ^`OJQJo( ^`OJQJo(o pp^p`OJQJo( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o PP^P`OJQJo(0^`056CJOJQJo(0^`056CJOJQJo(.0^`0o(..0^`0o(... 88^8`o( .... 88^8`o( ..... `^``o( ...... `^``o(....... ^`o(........ ^`OJQJo(^`.pp^p`.@ @ ^@ `.^`.^`.^`.^`.PP^P`.   ^ `OJQJo(^`.pp^p`.@ @ ^@ `.^`.^`.^`.^`.PP^P`.^`CJOJQJo(@ @ ^@ `OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o ^`OJQJo( PP^P`OJQJo(  ^ `OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o p^p`OJQJo( @ ^@ `OJQJo(^`OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o P^P`OJQJo( ^`OJQJo(^`OJQJ^Jo(o p^p`OJQJo( @ ^@ `OJQJo(^`OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o P^P`OJQJo( ^`OJQJo(^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.^`CJOJQJo(^`OJQJ^Jo(o pp^p`OJQJo( @ @ ^@ `OJQJo(^`OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o PP^P`OJQJo( ^`OJQJo( ^`OJQJo(o pp^p`OJQJo( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o PP^P`OJQJo(^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L. ^`OJQJo(^`.pp^p`.@ @ ^@ `.^`.^`.^`.^`.PP^P`. ^`OJQJo(^`OJQJ^Jo(o p^p`OJQJo( @ ^@ `OJQJo(^`OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o P^P`OJQJo(^`CJOJQJo(^`OJQJ^Jo(o pp^p`OJQJo( @ @ ^@ `OJQJo(^`OJQJ^Jo(o ^`OJQJo( ^`OJQJo(^`OJQJ^Jo(o PP^P`OJQJo(0^`0o(0^`0o(.0^`0o(..0^`0o(... 88^8`o( .... 88^8`o( ..... `^``o( ...... `^``o(....... ^`o(........ ^`OJQJo(^`.pp^p`.@ @ ^@ `.^`.^`.^`.^`.PP^P`.hh^h`.88^8`.L^`L.  ^ `.  ^ `.xLx^x`L.HH^H`.^`.L^`L.0^`0o(0^`0o(.0^`0o(..0^`0o(... 88^8`o( .... 88^8`o( ..... `^``o( ...... `^``o(....... ^`o(........}BK*]kC6 %Tmz&c 4-=LB?qePP hM GZO IqW? +];~ *3l~O(@b3^sePm7TR`]ACAf`F                                                                                n                                            j                                    j                                             j                           vz@ gz@ @Unknown GTimes New Roman5Symbol3 ArialKBookman Old StyleI. ??Arial Unicode MS9Garamond5 Tahoma?1M Courier New;Wingdings"1h+F2f!&` rif y !4zy'2QHX  ?hLNWI13I0005 - Review of Federal Student Aid s Enterprise Risk Management Program (MS Word)Alan Smigielski User                          Oh+'0 $0@ `l    'XI13I0005 - Review of Federal Student Aids Enterprise Risk Management Program (MS Word)NormalAlan Smigielski User3Microsoft Word 11.5.3@F#@an@@^ ` ՜.+,D՜.+,x   d' U.S. Department of Educationrz XI13I0005 - Review of Federal Student Aids Enterprise Risk Management Program (MS Word) TitleP :B_PID_LINKBASE'A  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry Fc=1TableXWordDocumentSummaryInformation(DocumentSummaryInformation8CompObjX FMicrosoft Word DocumentNB6WWord.Document.8