auditing compliance up, down, and sideways · auditing compliance up, down, and sideways deena king...

9/8/2016

1

Auditing ComplianceUp, Down, and Sideways

Deena KingDirector of Compliance, TWU

IntroductionTWU, You, and the Agenda

9/8/2016

2

Public University

Founded in 1901“Girls Industrial College”

Located in TexasDenton 12,490 Dallas 1,431Houston 1,365Total: 15,286

About Texas Woman’s University

Part‐ and Full‐time Faculty/Staff: 1,325Adding GA, Adjunct, Students: 2,143 (as of 8‐1‐16)

Graduate/Undergraduate: 5,206/10,080

Women/Men (1972): 90%/10%

About Texas Woman’s University

“…the nation’s largest public university primarily for women.”

9/8/2016

3

Management Principle

Seek first to understand, then to be understood.‐ Stephen R. CoveyThe Seven Habits of Highly Effective People

About You: Survey1 – How many of you are new to compliance audit?

2 – How many of you are experienced with compliance audit?

3 – How many of you just did not want to go to another session?

9/8/2016

4

About You: Survey1 – Audit Committee?

2 – Chief Audit Executive?

3 – Director?

4 – Manager?

5 – Auditor/Sr. Auditor?

About You: SurveyIn your organization…

‒ Do you have an institutional ethics and compliance program?

‒ Is compliance separate from internal audit?

‒ Is compliance combined with internal audit?

9/8/2016

5

Compliance in Higher Ed

Compliance is not new to higher education. Some universities have had institutional compliance programs for over 20 years.

Agenda• Sideways

• Auditing “compliance”

• Up and Down• Three primary levels of internal controls

• Eight groups of internal controls required by the federal guidelines

• Putting it all together

• Popular management principles

9/8/2016

6

Auditing “Compliance”Sideways

Auditing “Compliance”Can internal audit provide reasonable assurance that our organization is “in compliance” with _________________?

EEO

OSHA

NCAA

PCI

ADA

Title IX

SOX

FLSA

DOE

HIPAA

FERPA

SEVIS

Research

Copyright

Tax

Clery

EPA

Etc. etc.

9/8/2016

7

Auditing “Compliance”• Discussion

• How do you design these compliance audit programs?

• Where do you go to find compliance audit templates?

• What is your audit standards?

Higher Education Compliance Alliance

• The Higher Education Compliance Alliance was created by the National Association of College and University Attorneys (NACUA) to provide the higher education community with a centralized repository of information and resources for compliance with federal laws and regulations.

• http://www.higheredcompliance.org/

• ACUA is a member of this alliance

9/8/2016

8

HECA Compliance Matrix• 37 Federal Compliance Areas• 262 Statutory Summaries• Summaries include:

• Topic (Area)• Statute• Regulations• Statutory Summary• Reporting Requirements & Deadlines

• Additional Resources• Reporting Deadlines

Topic (Area) Campus Safety

Statute Jeanne Clery Disclosure of Campus Security

Policy and Campus Crime Statistics Act

(Clery Act) and Violence Against Women

Act ‐ 20 U.S.C. § 1092(f)

Regulations 34 C.F.R. § 668.41(e) & 34 C.F.R. § 668.46

Statutory

Summary

Any institution that participates in federal

financial aid programs must collect

information with respect to campus crime

statistics and campus security policies of

the institution. The institution must

annually distribute to current students,

employees, and (upon request)…

Auditing ComplianceUp and Down

“Foundations”

9/8/2016

9

U.S. Sentencing Guidelines(aka “Federal Sentencing Guidelines” or FSG)

(emphasis added)

Compliance Programs: Overall RiskTo have an effective compliance and ethics program…an organization shall—

(1) exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.

‐ USSG §8B2.1.a (emphasis added)

9/8/2016

10

Compliance Programs: Overall Risk

The prior diligence of an organization in seeking to prevent and detect criminal conduct has a direct bearing on the appropriate penalties and probation terms for the organization if it is convicted and sentenced for a criminal offense.

‐ Commentary on USSG §8B2.1, paragraph 7 (emphasis added)

Freeh Report, Penn State – 2012

9‐6‐13

…

9/8/2016

11

Compliance in ContextUp and Down

Control Levels & Control Types

• Organizational Hierarchy

• The “Seven Elements”

• Design AND Implementation

Compliance

9/8/2016

12

Typical Organizational Hierarchy

Governance

Management

Performance/Operational

Board

Executives;Directors

Managers;“Front Line”

Levels of Internal Control

Board:“The organization’s governing authority shall be knowledgeable…and shallexercise reasonable oversight…”

‐ USSG §8B2.1.b.2.A (emphasis added)

9/8/2016

13


Management:“High‐level personnel of the organization shall ensure that the organization has an effective compliance and ethics program.”

‐ USSG §8B2.1.b.2.B (emphasis added)


Operational:“Specific individual(s) within the organization shall be delegated day‐to‐ day operational responsibility for the compliance and ethics program.”

‐ USSG §8B2.1.b.2.C (emphasis added)

9/8/2016

14

Operational: A Broader View

Operational (Day‐to‐Day):‐ Compliance Director

‐ Compliance Managers

‐ Subject‐specific Compliance Partners‐ A Lot (HR, OSHA, ADA, etc.)

‐ A Little (Travel Study, etc.)

Internal Control PrincipleIIA’s “Three Lines of Defense”

• Control Objective:• Verify there are internal controls in place at all three levels

Operations

Management

Board

9/8/2016

15

Internal Control Principle

• COSO “Cube”

• Control Objective• Verify there are internal controls in place at all levels

The “Seven Elements”

The “Seven Elements” are fundamental internal controls for effective compliance programs, up

and down

9/8/2016

16

The “Seven Elements”1. Written standards, policies, and procedures.

2. Compliance “administration” ( i.e. a compliance officer, etc.).

3. Communications, training, and education.

4. Monitoring and auditing.

5. Reporting and investigation.

6. Enforcement and discipline.

7. Response and prevention.

The “Eight Steps” at TWU1

AKA “Internal Controls”

1. Identify Requirements/Assess Risk

2. Establish/ Modify Compliance Organization

3. Document Standards, Policies, and Procedures

4. Communicate Standards, Policies, and Procedures

5. Implement, Promote, and Enforce

6. Monitor, Audit, and Report

7. Continuous Improvement

8. Leadership/Corporate Culture

1 Adapted from Compliance in One Page ©2015. Used with permission.

9/8/2016

17

Rationale for the Modifications• Identify Requirements/Assess Risk

• Identify Requirements: A principle of accountability and program management

• Assess Risk: The organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement (USSG §8B2.1.c, emphasis added)

• Leadership/Corporate Culture• Governing authority shall be knowledgeable and shall exercise reasonable oversight (USSG §8B2.1.b.2.A, emphasis added)

• …an organization shall—…promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law (USSG §8B2.1.a.2 and §8B2.1.b, emphasis added)

Identify Requirements/ Assess Risk

Establish/Modify Compliance Organization

Document Standards, Policies, and Procedures

Communicate Standards, Policies, and Procedures

Implement, Promote, and Enforce

Monitor, Audit, and Report

TWU Compliance Process: The Model2

Leadership/Campus Culture

Continuous

Improvement

Disclaimer: This model is provided as guidance only and can be modified to meet your needs. This document does not guarantee prevention of lawsuits, judgments, or fines and is not a substitute for the advice of an attorney. All information is provided without warranty, express, implied, or otherwise, including as to their legal effect and completeness.

LawsRegulationsRegulators



9/8/2016

18

Internal Control Principle• The adoption of the “seven elements” from the FSG at governance, management, and by ALL major subject‐specific compliance programs helps infuse compliance internal controls into the culture and puts everyone on the same page

• Control Objective:• Verify the “seven elements” are used

as internal controls from top to bottom

9/8/2016

19


Give a man a fish, you feed him for the day; teach him how to fish, you feed him for a lifetime.

‐ Eastern ProverbAdapted by Stephen R. Covey in Principle‐Centered Leadership

Compliance Controls Two Ways


“[The organization’s] compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.”

‐ USSG §8B2.1.a.2 (emphasis added)

9/8/2016

20

Internal Control Principle

• “It is not enough to create a good compliance program on paper; the company must carry through to implement the program with effective accountability for compliance.”

‐ Para 16, FERC Compliance with Statutes, Regulations, and Orders (emphasis added)

• Control Objective:• Verify a compliance program is designed AND implemented

Auditing ComplianceUp and Down

RISK

9/8/2016

21

Risk Discussion

3 Levels 8 Internal Control Areas 2 Types1. Identify Requirements/Assess Risk

2. Compliance Organization Design

3. Document Standards, etc. AND

4. Communicate Standards, etc. Implementation





60‐SecondStretch Break

9/8/2016

22

Putting it All TogetherUp and Down

CONTROLS TO LOOK FOR

Discussion

• Putting it all together


• The “Eight Steps”


Compliance

9/8/2016

23


• Board Oversight

• Institutional Compliance

• Operational Compliance• EEO

• OSHA

• FERPA

• Etc. etc.

Auditing Board Level Controls

• Discussion – Design & Implementation1. Identify Requirements/Assess Risk

2. Compliance Organization

3. Document Standards, etc.

4. Communicate Standards, etc.





9/8/2016

24

Board Level Controls: Resources

• Association of Governing Boards of Universities and Colleges

• Welcome to Compliance U: The Board’s Role in the Regulatory Era

http://agb.org/trusteeship/2013/7/welcome‐compliance‐u‐boards‐role‐regulatory‐era

• SCCE Regional Conference, Dallas, December 2015• Training and Responsibilities, Marjorie Doyle, CCEP‐F

• Training the Board on ethics and compliance program responsibilities

Auditing Institution/Operations

• Internal Controls



Note: The audit steps about to be discussed meet the requirement outlined in §8B2.1.b.5.B, “to evaluate periodically the effectiveness of the organization’s compliance and ethics program”

Scale &

Scope

9/8/2016

25


Concentrate on building an organization—building a ticking clock—rather than telling time...take an architectural approach and concentrate on building organizational traits…

‐ Jim Collins & Jerry Porras

Built to Last, pp. 199‐201 (paraphrased)









Continuous

Improvement





9/8/2016

26

• Legal Requirement:“…the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement…”

‐ USSG §8B2.1.c (emphasis added)

Assess Risk/ Identify Requirements

LawsRegulationsRegulators STEP 1

• Institutional Level• ID Requirements:

• Design

• Implementation

• Assess Risk:• Design

• Implementation

STEP 1Laws

RegulationsRegulators

Identify Requirements/Assess Risk

9/8/2016

27

Identify Requirements/Assess Risk

LawsRegulationsRegulators STEP 1

• Operational Level• ID Requirements:

• Design

• Implementation

• Assess Risk:• Design

• Implementation

• Legal Requirement:• “…governing authority shall be knowledgeable…and shall exercise reasonable oversight…”

• “High‐level personnel of the organization shall ensure the organization has an effective compliance and ethics program…Specific individual(s) within high‐level personnel shall be assigned overall responsibility for the compliance and ethics program…”

• “Specific individual(s) within the organization shall be delegated day‐to‐day operational responsibility…”

• “…exercise of due diligence…” ‐ USSG §8B2.1.b.2.A‐C & 3 (emphasis added)

Establish/Modify Compliance OrganizationSTEP 2

9/8/2016

28

Governing Authority

“Governing authority” means the (A) the Board of Directors; or (B) if the organization does not have a Board of Directors, the highest‐level governing body of the organization.

‐ Commentary, USSG §8B2.1

High‐level Personnel

“High‐level personnel of the organization” means individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization. The term includes: a director; an executiveofficer; an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest.

‐ USSG Commentary, §8A1.2 (emphasis added)

9/8/2016

29

Due Diligence

The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.

‐ USSG Commentary, §8A1.b.3 (emphasis added)

• Institutional Level• Organization

• Design

• Implementation

• Due Diligence


9/8/2016

30


• Operational Level• Organization

• Design

• Implementation

• Due Diligence

Centralized

http://compliance.ouhsc.edu/LinkClick.aspx?fileticket=nmblcMDq2GA%3d&portalid=61

University of Oklahoma

‐ Reports to OU General Counsel‐ Is over:

‐ IRB‐ Healthcare Billing‐ Radiation Safety‐ EHS‐ Disability

‐ Services:‐ Tech Support‐ Compliance QA‐ Ethics

9/8/2016

31

TWU Office of

Compliance

Higher Education Compliance Alliance

37 Federal Compliance

Areas

Decentralized


If we get the right people on the bus, the right people in the right seats, and the wrong people off the bus, then we’ll figure how ho to take it to someplace great.

‐ Jim Collins

Good to Great, p. 41

9/8/2016

32

• Legal Requirement:“The organization shall establish standards and procedures to prevent and detect criminal conduct.”

‐ USSG §8B2.1.b.2.A‐C & 3


STEP 3

• Institutional Level• Standards

• Design

• Implementation Document Standards, Policies, and Procedures

STEP 3

• Policies• Design

• Implementation

9/8/2016

33


STEP 3• Operational Level• Policies

• Design

• Implementation

• Procedures• Design

• Implementation

• Legal Requirement:“Communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals by conducting effective training programs and otherwise disseminating information.”

‐ USSG §8B2.1.b.2.A‐C & 3


STEP 4

9/8/2016

34

Communicate Standards, Policies, and ProceduresSTEP 4

• Institutional Level• Communication

• Design

• Implementation

• Training• Design

• Implementation

Communicate Standards, Policies, and ProceduresSTEP 4

• Operational Level• Communication

• Design

• Implementation

• Training• Design

• Implementation

9/8/2016

35

• Legal Requirements:

[The organization’s] compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.

The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization.

‐ USSG §8B2.1.a.2 & b.6 (emphasis added)

Implement, Promote, and Enforce STEP 5

• Institutional Level• Implement

• Design

• Implementation

• Promote• Design

• Implementation


• Enforce• Design

• Implementation

STEP 5

9/8/2016

36

• Operational Level• Implement

• Design

• Implementation

• Promote• Design

• Implementation


• Enforce• Design

• Implementation

STEP 5


Sustained great results depend upon building a culture full of self‐disciplined people who take disciplined action.

‐ Jim Collins

Good to Great, p. 143 (emphasis added)

9/8/2016

37

• Legal Requirement:Ensure that the organization’s compliance and ethics program is followed; monitoring and auditingto detect criminal conduct; Evaluate periodically the effectiveness of the organization’s compliance and ethics program; publicize asystem…whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct.

‐ USSG §8B2.1.b.5.A‐C



STEP 6

• Institutional Level• Monitor

• Design

• Implementation

• Audit• Design

• Implementation

• Program Evaluation• Design

• Implementation



STEP 6

9/8/2016

38



STEP 6• Operational Level

• Monitor• Design

• Implementation

• Audit• Design

• Implementation

• Program Evaluation• Design

• Implementation


Facts are better than dreams…[When] you start with an honest and diligent effort to determine the truth of the situation, the right decisions often become self‐evident…You absolutely cannot make a series of good decisions without first confronting the brutal facts.

‐ Jim Collins

Good to Great, p. 69, 70

9/8/2016

39

• Legal Requirement:“After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal

STEP 7Continuous

Improvement

conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program…

“[T]he organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to…modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.”

‐ USSG §8B2.1.b.7 & c (emphasis added)

• Institutional Level• Continuous Improvement

• Design

• Implementation

STEP 7

Continuous

Improvement

9/8/2016

40

STEP 7Continuous

Improvement

• Operational Level• Continuous Improvement

• Design

• Implementation

• Legal Requirement:“Promote an organizational culturethat encourages ethical conduct and a commitment to compliance with the law…”

‐ USSG §8B2.1.a.2 and §8B2.1.b

(emphasis added)


“Lead with Integrity”

STEP 8“…governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight… Specific individual(s) within high‐level personnel shall be assigned overall responsibility for the compliance and ethics program…”

‐ USSG §8B2.1.b.2.A‐B (emphasis added)

9/8/2016

41

• Institutional Level

• Leadership• Design

• Implementation

• Campus Culture• Design

• Implementation



STEP 8

• Organizational Level

• Leadership• Design

• Implementation

• Campus Culture• Design

• Implementation



STEP 8

9/8/2016

42









Continuous

Improvement





Putting it All Together

• Review




Compliance

9/8/2016

43

Summary: Institutional Design• ID Requirements/Assess Risk

• Inventory ID and Update Process• Regular Risk Assessment

• Organization• Org Charts• Documented roles and responsibilities• Background checks

• Documentation• Process for designing/updating

standards, policies, procedures, programs, and plans

• Communicate• Communication Plan• Training Plan

• Implement, Promote, Enforce• Action Plan(s)• Awards Program, Contests, etc.• Enforcement Process

• Monitor, Audit, Report• Audit Plan(s)• Monitoring Plan(s)• Program Evaluation Schedule• Reporting as needed

• Continuous Improvement• Plans to remediate and correct

• Leadership/Culture• Surveys, Training, Communication, etc.

Summary: Institutional Implementation• ID Requirements/Assess Risk

• Compliance Inventory or Website• Risk Assessment Notes, Reports

• Organization• Positions are filled with qualified people• Evidence that roles and responsibilities

are fulfilled• Sample redacted background checks

• Documentation• Documented standards, policies,

procedures, programs, and plans

• Communicate• Evidence of Communication• Evidence of Training

• Implement, Promote, Enforce• Steps 1‐4 and 6‐8 have evidence• Sample promotion evidence• Sample enforcement actions

• Monitor, Audit, Report• Sample audit reports• Sample monitoring reports• Program Evaluation Report• Sample of reports to mgt and board

• Continuous Improvement• Evidence of remediation, corrections

• Leadership/Culture• Evidence of leadership and culture

9/8/2016

44

Summary: Operational Design• ID Requirements/Assess Risk

• Inventory ID and Update Process• Regular Risk Assessment

• Organization• Org Charts • Documented roles and responsibilities• Rely on HR background checks

• Documentation• Process for designing/updating

standards, policies, procedures, programs, and plans

• Communicate• Communication Plan• Training Plan

• Implement, Promote, Enforce• Action Plan(s)• Awards Program, Contests, etc.• Enforcement Process

• Monitor, Audit, Report• Self‐Audit Plan(s) and external/internal• Self‐Monitoring Plan(s)• Program Evaluation Schedule• Reporting as needed

• Continuous Improvement• Plans to remediate and correct

• Leadership/Culture• Surveys, Training, Communication, etc.

Summary: Operational Implementation• ID Requirements/Assess Risk

• Compliance Inventory or Website• Risk Assessment Notes, Reports

• Organization• Positions are filled with qualified people• Evidence that roles and responsibilities

are fulfilled• Evidence background checks were done

• Documentation• Documented standards, policies,

procedures, programs, and plans

• Communicate• Evidence of Communication• Evidence of Training

• Implement, Promote, Enforce• Steps 1‐4 and 6‐8 have evidence• Sample promotion evidence• Sample enforcement actions

• Monitor, Audit, Report• Sample self‐audit, external/internal reports• Sample self‐monitoring reports• Program Evaluation Report• Sample of reports to mgt and board

• Continuous Improvement• Evidence of remediation, corrections

• Leadership/Culture• Evidence of leadership and culture

9/8/2016

45

Online Resources

• http://www.twu.edu/general‐counsel/compliance‐information.asp

• TWU Compliance Program• TWU Compliance Guide

• http://www.twu.edu/general‐counsel/14293.asp• Basic Compliance Audit Program

• Covers all the “up/down” steps we just discussed

• Compliance Surveys• Items for TWU Compliance Partners• Etc.

Questions/CommentsIf Time Permits

9/8/2016

46

Thank you!

Auditing ComplianceUp, Down, and Sideways

Deena KingDirector of Compliance, TWU

[email protected]

auditing compliance up, down, and sideways · auditing compliance up, down, and sideways deena king...

Documents