auditing compliance up, down, and sideways · pdf file auditing compliance up, down, and...
Click here to load reader
Post on 18-Jun-2020
Embed Size (px)
Auditing Compliance Up, Down, and Sideways
Deena King Director of Compliance, TWU
Introduction TWU, You, and the Agenda
Founded in 1901 “Girls Industrial College”
Located in Texas Denton 12,490 Dallas 1,431 Houston 1,365 Total: 15,286
About Texas Woman’s University
Part‐ and Full‐time Faculty/Staff: 1,325 Adding GA, Adjunct, Students: 2,143 (as of 8‐1‐16)
Women/Men (1972): 90%/10%
About Texas Woman’s University
“…the nation’s largest public university primarily for women.”
Seek first to understand, then to be understood. ‐ Stephen R. Covey The Seven Habits of Highly Effective People
About You: Survey 1 – How many of you are new to compliance audit? 2 – How many of you are experienced with
compliance audit? 3 – How many of you just did not want to go to
About You: Survey 1 – Audit Committee? 2 – Chief Audit Executive? 3 – Director? 4 – Manager? 5 – Auditor/Sr. Auditor?
About You: Survey In your organization…
‒ Do you have an institutional ethics and compliance program?
‒ Is compliance separate from internal audit? ‒ Is compliance combined with internal audit?
Compliance in Higher Ed
Compliance is not new to higher education. Some universities have had institutional compliance programs for over 20 years.
Agenda • Sideways
• Auditing “compliance”
• Up and Down • Three primary levels of internal controls • Eight groups of internal controls required by the federal guidelines
• Putting it all together • Popular management principles
Auditing “Compliance” Sideways
Auditing “Compliance” Can internal audit provide reasonable assurance that our organization is “in compliance” with _________________?
EEO OSHA NCAA PCI ADA
SOX FLSA DOE HIPAA FERPA SEVIS
Tax Clery EPA
Auditing “Compliance” • Discussion
• How do you design these compliance audit programs?
• Where do you go to find compliance audit templates?
• What is your audit standards?
Higher Education Compliance Alliance • The Higher Education Compliance Alliance was created by the National Association of College and University Attorneys (NACUA) to provide the higher education community with a centralized repository of information and resources for compliance with federal laws and regulations.
• ACUA is a member of this alliance
HECA Compliance Matrix • 37 Federal Compliance Areas • 262 Statutory Summaries • Summaries include:
• Topic (Area) • Statute • Regulations • Statutory Summary • Reporting Requirements & Deadlines
• Additional Resources • Reporting Deadlines
Topic (Area) Campus Safety Statute Jeanne Clery Disclosure of Campus Security
Policy and Campus Crime Statistics Act (Clery Act) and Violence Against Women Act ‐ 20 U.S.C. § 1092(f)
Regulations 34 C.F.R. § 668.41(e) & 34 C.F.R. § 668.46 Statutory Summary
Any institution that participates in federal financial aid programs must collect information with respect to campus crime statistics and campus security policies of the institution. The institution must annually distribute to current students, employees, and (upon request)…
Auditing Compliance Up and Down
U.S. Sentencing Guidelines (aka “Federal Sentencing Guidelines” or FSG)
Compliance Programs: Overall Risk To have an effective compliance and ethics program…an organization shall—
(1) exercise due diligence to prevent and detect criminal conduct; and
(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.
‐ USSG §8B2.1.a (emphasis added)
Compliance Programs: Overall Risk
The prior diligence of an organization in seeking to prevent and detect criminal conduct has a direct bearing on the appropriate penalties and probation terms for the organization if it is convicted and sentenced for a criminal offense.
‐ Commentary on USSG §8B2.1, paragraph 7 (emphasis added)
Freeh Report, Penn State – 2012
Compliance in Context Up and Down
Control Levels & Control Types • Organizational Hierarchy
• The “Seven Elements”
• Design AND Implementation
Typical Organizational Hierarchy
Managers; “Front Line”
Levels of Internal Control
Board: “The organization’s governing authority shall be knowledgeable…and shall exercise reasonable oversight…”
‐ USSG §8B2.1.b.2.A (emphasis added)
Levels of Internal Control Management:
“High‐level personnel of the organization shall ensure that the organization has an effective compliance and ethics program.”
‐ USSG §8B2.1.b.2.B (emphasis added)
Levels of Internal Control Operational:
“Specific individual(s) within the organization shall be delegated day‐to‐ day operational responsibility for the compliance and ethics program.”
‐ USSG §8B2.1.b.2.C (emphasis added)
Operational: A Broader View Operational (Day‐to‐Day):
‐ Compliance Director ‐ Compliance Managers ‐ Subject‐specific Compliance Partners ‐ A Lot (HR, OSHA, ADA, etc.) ‐ A Little (Travel Study, etc.)
Internal Control Principle IIA’s “Three Lines of Defense”
• Control Objective: • Verify there are internal controls in place at all three levels
Internal Control Principle
• COSO “Cube” • Control Objective
• Verify there are internal controls in place at all levels
The “Seven Elements”
The “Seven Elements” are fundamental internal controls for effective compliance programs, up
The “Seven Elements” 1. Written standards, policies, and procedures.
2. Compliance “administration” ( i.e. a compliance officer, etc.).
3. Communications, training, and education.
4. Monitoring and auditing.
5. Reporting and investigation.
6. Enforcement and discipline.
7. Response and prevention.
The “Eight Steps” at TWU1 AKA “Internal Controls”
1. Identify Requirements/Assess Risk
2. Establish/ Modify Compliance Organization
3. Document Standards, Policies, and Procedures
4. Communicate Standards, Policies, and Procedures
5. Implement, Promote, and Enforce
6. Monitor, Audit, and Report
7. Continuous Improvement
8. Leadership/Corporate Culture
1 Adapted from Compliance in One Page ©2015. Used with permission.
Rationale for the Modifications • Identify Requirements/Assess Risk
• Identify Requirements: A principle of accountability and program management
• Assess Risk: The organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement (USSG §8B2.1.c, emphasis added)
• Leadership/Corporate Culture • Governing authority shall be knowledgeable and shall exercise reasonable oversight (USSG §8B2.1.b.2.A, emphasis added)
• …an organization shall—…promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law (USSG §8B2.1.a.2 and §8B2.1.b, emphasis added)
Identify Requirements/ Assess Risk