Wouldn't an actual audit require going into individual student records? If someone's committing fraud, they could just as easily commit fraud by generating an entire faulty database, fudge numbers until the median actually comes out to 168 or whatever they want, and auditing their database would mean nothing unless you could get into the actual student records and verify their reported scores were real. But even then, accessing student records at the school is meaningless because the people committing the fraud are the people who control those records, and could doctor the physical records as well. After all, if you're already committing a fraud, wouldn't you want to cover it up?
To verify the actual student records weren't doctored, we've now got to gain access to these students' LSDAS reports, or at least to their LSAC scores. While FERPA creates a legal privacy exception for schools, it doesn't appear to apply to LSAC, which is a non-profit corporation.
LSAC's website says this about your LSAC score, under the "confidentiality" section: "Scores are released only to you and to the law schools to which you have applied. They will not be released to a parent, spouse, friend, or any other person." It doesn't sound like there's an exception for providing scores directly to the ABA. LSAC might be liable for some kind of privacy tort if they released LSAC scores to the ABA without first obtaining students' permission.
That means that, in order for the ABA to run a proper audit of a law school, they'd need to get permission to access the LSAC records of many of its students. That doesn't sound very practical, especially since those students will know an audit means nothing good for their school. Either their school passes the audit, which just maintains the status quo, or their school fails the audit, which gives their school a black eye and potentially hurts their employability.