Compliance13 min readUpdated November 2024

Creating an Internal Audit System That Actually Works

ByBlason TaonSenior VASCO

Design a proactive compliance program that catches errors before external audits do

The best compliance audits are the ones you conduct yourself, before external auditors arrive. An effective internal audit system helps you identify and correct issues proactively, demonstrates good faith compliance efforts, and provides valuable documentation during formal reviews. Yet many VASCO offices lack structured audit programs, relying instead on reactive problem-solving.

This guide walks you through building a sustainable internal audit system tailored to your institution's size and complexity, with practical tools and templates you can implement immediately.

Audit Program Framework

Building Your Audit Schedule

Monthly Audits (High Priority)

Sample Size: 5-10 recent certifications

  • Verify training time calculations
  • Check term dates for accuracy
  • Confirm credit hour totals
  • Review benefit chapter selections
  • Validate prior credit evaluations completed

Quarterly Audits (Moderate Priority)

Sample Size: 15-20 certifications from past quarter

  • SAP compliance documentation
  • Enrollment change reporting timeliness
  • Yellow Ribbon calculations (if applicable)
  • Document retention compliance
  • Communication with students

Annual Comprehensive Audits

Sample Size: 50-100 certifications stratified by program

  • All monthly/quarterly items plus:
  • Policy compliance review
  • Staff certification accuracy rates
  • System and process effectiveness
  • Corrective action follow-up
  • Benchmarking against best practices

Risk-Based Sampling Methods

Prioritize High-Risk Areas

Don't audit randomly, focus on areas where errors are most likely or have highest impact:

Sample Selection Strategy

Stratified Random Sampling

Divide certifications into groups (by program, staff member, student type) then randomly select from each group to ensure representation.

Judgmental Sampling

Deliberately select cases that meet high-risk criteria or where errors have occurred previously.

Systematic Sampling

Review every Nth certification (e.g., every 10th enrollment) to maintain consistency.

Documenting Audit Findings

Finding Classification System

Audit Finding Template

  • Finding #: Sequential number
  • Severity Level: Critical / Moderate / Minor
  • Description: Clear explanation of what was found
  • Criterion: What regulation/policy was violated
  • Impact: Overpayment amount, students affected, etc.
  • Recommendation: Specific corrective action needed
  • Responsible Party: Who will fix it
  • Due Date: When correction must be completed

Continuous Improvement Process

The PDCA Cycle for Audit Programs

PLAN

  • Design audit schedule
  • Identify risk areas
  • Develop checklists
  • Assign responsibilities

DO

  • Conduct audits
  • Document findings
  • Classify by severity
  • Report results

CHECK

  • Analyze patterns
  • Identify root causes
  • Measure trends
  • Benchmark performance

ACT

  • Implement corrections
  • Provide training
  • Update procedures
  • Refine audit program