establishing an effective compliance program, compliance risk assessments, and the role of general...
Post on 19-Dec-2015
217 views
TRANSCRIPT
ESTABLISHING AN EFFECTIVE COMPLIANCE PROGRAM, COMPLIANCE RISK
ASSESSMENTS, AND THE ROLE OF GENERAL COUNSEL
NACUA ANNUAL MEETINGCHICAGO, IL
JUNE 27, 2006
Peter HarringtonDirector of Research Compliance
Harvard Medical School
Chris HolmesAssistant General Counsel
Baylor University
Thomas SchumacherUniversity of Minnesota
Director, Office of Institutional Compliance
I. Overview, Guidelines for Compliance Programs
WHY HAVE A COMPLIANCE PROGRAM?• Risk Minimization
• Financial Risks & Operational Risks• Health & Safety Risks• Reputational Risks
• Better Image, Improved Relationships, Greater Trust• Community• Sponsors and Regulators
• External Pressures• Post-Enron Corporate Accountability Expectations• Sarbanes – Oxley• Interested Board Members• Governmental Expectations (e.g. DHHS OIG)
• (Possibly) Reduced Fines and Penalties• Greater Efficiency and Improved Outcomes
• Better trained workforce, better morale• Elimination of uncertainty and confusion about roles and
responsibilities• Better quality research, operations• Identifying and addressing problems early• Reducing likelihood of government audits & investigations
WHY HAVE A COMPLIANCE PROGRAM?
• From Steve Jung, Stanford’s Director of Internal Audit and Institutional Compliance (as reported in IIGR guide, referenced below)
Consequences of Noncompliance • Fines, penalties, and legal fees• Media coverage and blemished reputation• Imposed compliance “settlements”• More regulatory and audit agency scrutiny• Management time and effort required to perform damage control• Management turnover• Lower faculty and staff morale• Increased bureaucracy and lower efficiency• Lingering effects ……….• Guilt by association: when one of us is tarred, we all wear the
feathers
Example: COMPLIANCE AT HARVARD
• De-centralized Organizational Structure• Central Structure
• Harvard Corporation / Overseers • President, Provost• VP and General Counsel (OGC)• VP for Finance (Controller, OSP, RMAS)• VP for Administration (EH &S Facilities)• Ombuds Office
• Schools/ Tubs (HMS, FAS, HSPH, etc)• HMS
• SPA (Pre-award), ORSP ( IRB, IACUC), IBC/COMS, FOA• Office of Research Compliance (ORC)
• HMS RCO Reports to • Dean of HMS through Dean for Faculty and Research
Integrity• HU AVP for Research Administration
Example: COMPLIANCE AT HARVARD
• HMS RCO works closely with • OSP/SPA Directors/Staff• RMAS & HU Senior Compliance Officer• Numerous Departments & Offices including ORSP,
IBC,FOA, Academic Departments, BSAG, FIG
• HMS Compliance Committees• Research Compliance Advisory Committee (Senior
HU/HMS Leaders, AVP’s, Associate Deans)• Research Compliance Leadership Group (HMS Directors –
Research Administrative, Finance, and Research Safety and Ethics)
A WORD ABOUT “COMPETING ORGANIZATIONAL MODELS” FOR
UNIVERSITY COMPLIANCE PROGRAMS • CENTRALIZED CORDINATION/ DISTRIBUTED EXECUTION MODEL (e.g.
U. Minn.)• Single University-Wide Compliance Officer • Partner with leaders and Compliance/Administrative Personnel in
units and Colleges• HYBRID/DECENTRALIZED MODEL (e.g. Harvard)
• Compliance Officers at School Level (Research)• HU-Wide Senior Compliance Officer in RMAS• Horizontal Relationship of School RCO’s with Central
Audit/Compliance Personnel • Compliance Functions/Roles Sometimes Filled by Administrators w/
other duties and w/out “Compliance” in their titles• “Stealth” Model (e.g. Baylor)
• Decentralized, without designated COs• Compliance Responsibilities assigned to various Deans, Directors ,
etc.• Stronger oversight role in OGC, Audit, etc.
Overview Issue: WHERE SHOULD THE
“COMPLIANCE FUNCTION” BE LOCATED?
• VP for Audit and Compliance?– How are the roles different ?
• General Counsel? – If not, what is the role of counsel?
• Risk Management?– Isn’t this more than insurance and traditional
risk management?
• Stand Alone?– How does this function interact with above
offices?
Overview: WHAT ARE THE PURPOSES OF A COMPREHENSIVE UNIVERSITY
COMPLIANCE PROGRAM?
Example: UMN/OIC’s Mission Statement:
To serve, safeguard, and promote ethical practices at the University of Minnesota by:
• Identifying compliance risks and effective methods to mitigate those risks;
• Improving delivery of compliance resources;• Educating and promoting awareness of ethical and legal
standards of conduct through effective programs; and • Partnering with responsible University representatives to monitor
compliance and to ensure that appropriate and effective corrective actions are taken where non-compliance is detected
WHAT ARE THE PURPOSES OF A MEDICAL SCHOOL RESEARCH
COMPLIANCE PROGRAM?
Example: HMS/ORC’s Mission Statement:To contribute to the advancement of research excellence at
HMS by undertaking activities aimed at:• Ensuring full compliance with all applicable governmental and
institutional requirements, and the implementation of appropriate best practices, related to the conduct, administration, and reporting of research; and
• Fostering a culture of responsibility and stewardship that assures the proper use of sponsors’ grant funds; and
• Protecting the institution, its faculty, staff, and students, as well as our research partners and collaborators, the human and animal subjects of our research, and the members of our local and global communities who benefit from and are affected by our research activities.
I. GUIDELINES FOR COMPLIANCE PROGRAMS
1. United States Sentencing Guidelines (USSG)
2. DHHS OIG (Draft) Compliance Program Guidance
3. COGR Guidelines
4. Other Excellent ResourcesA. IIARF
B. Institutional Compliance Web Sites
C. U Texas 18 Steps for Implementing a Compliance Program
I.1 UNITED STATES SENTENCING GUIDELINES (USSG) – ELEMENTS OF
COMPLIANCEOrganization must promote culture “that encouragescommitment to compliance with the law” by minimally:
1. Establishing compliance standards and procedures to preventand detect violations
2. Governing authority oversight: “shall”• Be knowledgeable about content and operation of program• Exercise reasonable oversight regarding implementation and
effectiveness• Assign specific high-level person (s) direct, overall responsibility
– Give adequate resources– Give adequate authority– Have person report directly to governing authority or subgroup
on implementation and effectiveness
USSG – ELEMENTS OF COMPLIANCE (cont.)
3. Due care in delegation of authority and employee screening4. Effective training and communication of compliance
standards, procedures, and other aspects of program5. Monitoring, auditing including: periodic reviews of
effectiveness of program; system for employees to report or seek guidance regarding actual/potential violations without fear of retaliation and anonymous reporting option
6. Program promoted through incentives and discipline7. Reasonable steps to respond to violations and prevent
similar violations
I.2 DHHS OIG – DRAFT COMPLIANCE PROGRAM GUIDANCE (“CPG”)
• Published 11/28/05 (70 FR 71312 – 71320)• “Withdrawn” 6/27/06 OIG Press Release
“OIG has concurred with the Committee on Science (COS) [of the] National Science and Technology Council (NSTC) offer to expand upon OIG’s initial efforts to provide voluntary compliance guidance to Recipient of Federal Research Funding ….. The COS … Research Business Models Subcommittee will establish an inter-agency initiative to develop voluntary compliance guidelines for recipient of Federal research funding from all agencies across the Federal government ”
DHHS OIG – DRAFT “CPG” (cont.)8 Elements of a Compliance Program
(1) The development and distribution of written standards of conduct, as wellas written policies and procedures, that reflect the institution’s commitment to compliance.
(2) The designation of a compliance officer and a compliance committeecharged with the responsibility for developing, operating, and monitoringthe compliance program, and with authority to report directly to the headof the organization, such as the president and/or the board of regents inthe case of a university.
(3) The development and implementation of regular, effectiveeducation and training programs for all affected employees.
(4) The creation and maintenance of an effective line of communicationbetween the compliance officer and all employees, including a process (such as a hotline or other reporting system) to receive complaints or questions that are addressed in a timely and meaningful way, and the adoption of procedures to protect the anonymity of complainants and to protect whistleblowers from retaliation.
DHHS OIG – DRAFT “CPG” (cont.)
(5) The clear definition of roles and responsibilities within the institution’sorganization and ensuring the effective assignment of oversight responsibilities.
(6) The use of audits and/or other risk evaluation techniques to monitorcompliance and identify problem areas.
(7) The enforcement of appropriate disciplinary action against employees orcontractors who have violated institutional policies, procedures, and/or applicable Federal requirements for the use of Federal research dollars, and
(8) The development of policies and procedures for the investigation ofidentified instances of non-compliance or misconduct. These should include directions regarding the prompt and proper response to detected offenses, such as the initiation of appropriate corrective action and preventive measures.
I.3 COGR GUIDELINES• “Managing Externally Funded Programs at College and
Universities : A Guideline to Good Management Practices” (5th Edition)
• Available online at http://www.cogr.edu/files/publications_goodmanagament.cfm
• Provides detailed performance standards and best practices recommendations for specific risk/activity areas in sponsored research (e.g. “human subject protection”)
• Organized by hierarchical categories (in descending order from more general to more specific)
• Principles• Practices• Indicators
COGR GUIDELINES (cont.)
Example : Principle: Cost Sharing
Practice A. The institution has written policies and procedures for cost sharing thatare consistently applied in proposing, accumulating, and reporting costs both to external sponsors and within the institution.
Indicator 1. Cost sharing included in proposal budgets, accepted by the Sponsoring agency, and made a condition of the award is considered to be an obligation of the institution.
Indicator 2.Investigator and staff effort as well as non-labor costs included as cost Sharing obligations are appropriately recorded in the institution’saccounting records.
COGR GUIDELINES (cont.)Indicator 3. Cost sharing expenditures meet the standards of allowability, allocability, and reasonableness consistent with federal cost principles and standards of sponsors.
Indicator 4. Institutional systems provide for appropriate monitoring of cost sharing for timeliness and adequacy of expenditure or in-kind valuation documentation.
Indicator 5. The institution reports required cost sharing in accordance with the terms and conditions of awards.
Indicator 6. Voluntary uncommitted cost sharing (i.e. investigator-donated additional time above that agreed to as a condition of the award) is excluded from the organized sponsored projects base used for computing the F&A cost rates.
I.4.A ANOTHER EXCELLENT RESOURCE
• Institute of Internal Auditors Research Foundation (IIARF)• “Effective Compliance System : A Practical Guide for
Educational Institutions” (2001)(Order online at www.theiia.org)
• 12 Chapters Cover• Why a Compliance Program• Compliance Program Essentials• How to Start• CEO as Program Keystone• First Six Months Getting Organized• Standards of Conduct & Compliance Training• Risk Assessment• Managing Critical “A” Risks• Assurance Strategies• Non-Compliance• Managing All “A” Risks• Learning Organization : Measure &Renew
ANOTHER EXCELLENT RESOURCE (cont.)
• “Effective Compliance System : A Practical Guide for Educational Institutions” Appendixes Include:
• U. Texas “ Action Plan” for compliance• Gaps Analysis Grid – UT program vs. Sentencing
Guidelines• Stanford Plan• 18 steps for Establishing a Compliance Program• Sample Monitoring Plan• Self Assessment Instrument
I.4.B EXCELLENT INSTITUTIONAL RESOURCES AVAILABLE ON LINE
• University of Minnesota, Office of Institutional Compliance
http://www.instcomp.umn.edu• Stanford University, Institutional Compliance
Program
http://www.stanford.edu/dept/Internal-Audit/compliance/index.html
• University of Texas, Office of Institutional Compliance
http://www.utexas.edu/administration/oic
I.4.C 18 STEPS FOR IMPLEMENTING A COMPLIANCE PROGRAM (FROM UNIV. OF TEXAS)
1. The governance function and/or the chief officer must recognize the need of an institutional compliance program.
2. The Chief executive officer appoints an ad hoc committee representing all elements of the institutional community to develop an action plan for implementation and operation of the compliance program.
3. The chief executive officer appoints an institutional compliance officer and an institutional compliance committee.
4. The chief executive officer and the institutional compliance officer decide on the structure of the compliance function.
5. The compliance officer, as required by the structure of the compliance function, appoints a compliance coordinator and other compliance function staff.
6. The compliance officer and the compliance committee prepare a standards of conduct guide.
7. The compliance officer establishes a confidential reporting mechanism for employees to use to anonymously report potential instances of noncompliance.
18 STEPS FOR IMPLEMENTING A COMPLIANCE PROGRAM (FROM UNIV. OF TEXAS)
8. The compliance officer and the compliance committee establish the general compliance training program content based upon the standards of conduct guide.
9. The compliance officer and the compliance committee develop a general compliance training plan, including appropriate training delivery and testing methodologies.
10. The compliance officer, the compliance committee, and the compliance function facilitate a compliance risk assessment of the institution, including the identification of the institution’s “A” risks.
11. The compliance committee and the compliance officer may appoint a compliance committee working group representing all of the institution’s “A” risk areas to assist the compliance committee in performing specific tasks.
12. The compliance officer ensures that each institution “A” risk has a risk management design that includes (1) a single responsible party, (2) an appropriate monitoring plan, (3) an appropriate specialized training plan, and a reporting plan.
13. The compliance officer and the compliance committee, with input from the governance function and the chief executive officer, establish a compliance assurance plan for the institution to ensure that management of the institution’s “A” risks is being performed as designed.
18 STEPS FOR IMPLEMENTING A COMPLIANCE PROGRAM (FROM UNIV. OF TEXAS)
14. The compliance officer reports instances of potential and/or actual noncompliance to the chief executive officer as required.
15. Operating management deals with instances of noncompliance as specified in the policies and procedures that govern each process in the institution.
16. The compliance officer makes periodic reports to the chief executive officer on the activities of the compliance program.
17. The compliance officer and the compliance committee perform an annual self-assessment of the compliance program and, when needed, arrange for an external peer review of the compliance program.
18. The compliance officer and the compliance committee prepare an action plan to implement improvements to the compliance program identified in the self-assessment and/or the external peer review.
II. Compliance Oversight, Governance and Leadership
Issues
II. Oversight and Leadership
• Fiduciary duties, funder expectations, and general norms for leaders have changed in the last 4 years.– Enron, Tyco, etc. (enough said)– Crosses over institutions (non profit,
governmental, religious institutions, etc.)– Laws, regulations put accountability squarely
with leadership; Non-delegable– These all reflected in 2004 Amendments to
federal compliance model
II OVERSIGHT, GOVERNANCE & LEADERSHIP EXPECTATIONS
U.S. Sentencing Guidelines Now Provide …..
1. The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to (its) implementation and effectiveness.
2. High level personnel … shall ensure that the organization has an effective compliance and ethics program … [for which] specific individuals within high level personnel shall be assigned responsibility.
3. Specific individuals within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. [These individuals] shall report periodically to high-level personnel and appropriate , to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the … program. To carry out such operational responsibility, such individual (s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate sub-group of the governing authority.
OVERSIGHT, GOVERNANCE & LEADERSHIP con’t
High Level Personnel Responsible for Compliance Program & Oversight
Examples: Compliance Officer / Committee; other clearly identified “quarterback”
High Level Personnel Accountable for Specific
Assigned Compliance Responsibilities
Examples: Senior VPs, Deans, (e.g. VP for Research Administration)
High Level Personnel with Day- to-Day Compliance Responsibilities
Examples: Directors, Department/Unit Heads (e.g. Director of IRB, housing director, financial aid director)
Oversight and Governance (cont.)
• Issues:– How do you provide compliance information to
leadership to enable them to meet their duty (“knowledge” element)
– How do you provide compliance assurance to leadership—e.g. that you have programs in place for your highly regulated areas that meet compliance “good” practices that are effective to prevent, detect, and in fact do respond to breakdowns. This is “due diligence.”
• How do you do this without micro-managing or bringing Trustees/Regents into operations?
– How do you institutionalize the above in the most effective least burdensome way?
Regents
President
Audits OGC Compliance Office
VP VP … Chancellors
Example: U OF M COMPLIANCE OFFICE STRUCTUREExample: U OF M COMPLIANCE OFFICE STRUCTURE
Compliance Oversight Committee
Independent Monitoring/Oversight Operational Responsible Parties
• Counsel• Event/s• Transactions
• Control Environment• Transaction Review• Discrete
• Programmatic• Prospective• Systematic Focus• Infrastructure
OVERSIGHT, GOVERNANCE & LEADERSHIP ISSUES con’t
Example: University of Minnesota Compliance Partners Program
The Compliance Partners are a formal network of University officials who oversee operational compliance functions in 31 different risk areas of the University. Responsibility for most of the risk areas is system-wide such as access/disability issues, environmental health & safety, building codes, grant administration, etc. Some risks are decentralized by campus such as athletics, dining, housing and public safety. The network was established in 2004 and has four macro objectives:
1. Information to Leadership/ Enabling Compliance Oversight: Leadership regularly receives sufficient information to effectively oversee the compliance program.
2. Operational Accountability: Clearly identified offices/roles are established for compliance activities and structures are in place to ensure compliance activities are carried out.
3. Systemic Compliance Program Evaluation: The University makes an initial evaluation of its primary compliance risk areas to identify program strengths and weaknesses based upon the model program elements; the University creates a structure to ensure its compliance program is continually evaluated.
4. Alignment of Compliance Activities and Compliance Risks: Compliance activities, as defined by the model program elements, are balanced appropriately with the organization’s compliance risks to ensure adequate controls are in place using the most efficient use of University resources
III. Assessing Compliance Risk and Culture
Compliance Assessment: LEADING VS. LAGGING INDICATORS
• Leading – predictive of future outcomes
– Assessment of training effectiveness
– Culture – willingness to report concerns
– Hotline trend reports
– Well-understood SOPs
– Clear and understood delegations
• Lagging–where compliance breakdowns have occurred
– Individual hotline reports
– Audits findings in colleges, units, research studies, etc.
– Fines, lawsuits, sanctions, etc.
COMPLIANCE SELF-ASSESSMENT APPROACHES
General/“soft” Focused/“hard”
Culture Programmatic Audits
Risk Area Specific
III. CULTURE ASSESSMENT: SAMPLE KEY INDICATORS
• Awareness of ethical/legal issues at work• Perception of fair treatment among employees• Willingness to report legal violations• Knowledge of where to go with
ethics/compliance questions• Perception that leadership cares about ethical
conduct• Perception that ethical behavior is rewarded and
unethical behavior is punished at all levels
CULTURE ASSESSMENT STRATEGIES
• Strategy 1 - All employee survey• Strategy 2 – Audit survey• Compliance areas should already have
“feedback loops” in place that may supplement culture indicators, i.e. exit survey for employees and students.
CULTURE STRATEGY 1 – Example: U OF M “PULSE” SURVEY
• All employee web-based survey differentiated by roles (faculty, staff)
• Conducted biannually; statistically valid• Measures many different cultural/HR metrics • New “compliance” culture questions
PULSE QUESTIONSI have experienced or observed significant misconduct (violation of law, workplace rules, or significant University policy) in my unit/department within the last twelve months?
Yes No
If Yes, If the misconduct was not known by responsible University officials, did you or someone else report it to responsible University officials or the University’s confidential reporting service?Yes, Yes, No, Don’t I reported it others reported it it was not reported know
If Yes, Do you believe responsible University officials took appropriate corrective action?
Yes No Don’t Know
PULSE QUESTIONS
Strongly Disagree
Disagree to Some Extent Uncertain
Agree to Some Extent
Strongly Agree
I know where to report violations of law or policy (such as the University's confidential reporting line.) 1 2 3 4 5
I believe I would be protected from retaliation if I report a suspected violation. 1 2 3 4 5
University leadership demonstrates integrity and ethical behavior. 1 2 3 4 5
CULTURE STRATEGY 2 – Example: UofM INTERNAL AUDIT SURVEY
• Exit survey at the end of audits• All employees in audited unit• Web-based and anonymous if desired• Approximately 25 surveys per year• Response Rate: 45 – 50%
AUDIT QUESTIONS (SAMPLE)
Strongly Agree Agree Disagree
Strongly Disagree N/A
Management of your unit demonstrates the importance of integrity and ethical behavior to their employees. SA A D SD N/A
I am familiar with how to report violations of law or policy, including the University’s confidential reporting line. SA A D SD N/A
I believe I would be protected from retaliation if I report a suspected violation. SA A D SD N/A
Assessing specific compliance risks
BACKGROUND: ONE VIEW OF RISK AREASCOMPLIANCE HEAT MAP
IMPACT
Hig
h
Mod
erat
e
Low
Moderate High
Low
RIS
K
Outside Scope:
• Student Affairse.g. Drinking off campus
• Campus safety
•Emergency plans
•Other “non legal”
Environmental Health/Safety
Clinical Services (student health services, e.g.)
Athletics Grants Administration
Human Subject Research
Bio Hazards/Security
Technology Transfer
Fiscal (purchasing & disbursement)
Youth Camps/Programs
PrivacyHIPAA
Housing
IT Security
Animal Research
EOAA
Immigration
OSHA
Asset Management
Foundations
Access
Student Finance
Dining Services
Copyrights
Trademarks
Tax
HR
Conflict of Interest
STRATEGY 1 - RISK INVENTORY AND ASSESSMENT IN 2 STAGES
• Stage 1 Risk Identification– “Cradle to Grave” of whatever can “go wrong”
in the risk area– NOT an inventory of legal rules. Event driven
and plain language– Steps
• 1. Identify Risk areas• 2. Identify specific risks within these areas
• Stage 2 Risk Evaluation
STRATEGY 1 - RISK IDENTIFICATION-Risk Lifecycle: Examples
Collections and remedies
Purchasing Authority & required prior
approvals
Vendor Selection
Negotiating: terms,
conditions and standard
Contract performance
Equal Opportunity and
Affirmative Action
Recruiting Hiring Process
Employment Retention,Compensation Advancement
Termination
Human Resources
●Recruiting and hiring●Compensation●Overtime/overload●Benefits●Leaves●Departure●Performance management●Workplace●Dispute resolution●Confidentiality●Labor relations/negotiations
Environmental Health and Safety
•Community Air Quality•Storm Water Mgmt•Indoor Air Quality•Biological Safety•Controlled Substances•Chemical Management•Property Assessment•Radiation Safety•Waste Management
Fiscal•Cash draws•Accounts Receivable•Accounts Payable•Gifts•External Sales•Internal Sales•Contract Revenue•Purchasing•Financial Reporting•U purchasing Card•Tax reporting and payments
STRATEGY 1 - RISK IDENTIFICATION
Subject Area: Examples
STRATEGY 1 - RISK IDENTIFICATION-Specific Compliance Risks:
E.g. Human Resources
Human Resources
1. Recruiting and hiring2. Compensation3. Overtime/overload4. Benefits5. Leaves6. Departure7. Performance management8. Workplace9. Dispute resolution10. Confidentiality11. Labor relations/negotiations
2. Compensation
● Improper FICA withholding● Failure to obtain, validate, and document I 9 status● Compensation is not "on step" with bargaining unit agreement amounts● Failure to ensure social security number matches the identified employee's name● Failure to report new hires to State as required by child support regulations● Failure to garnish as required by garnishment orders and tax levies● Payments contrary to terms of sponsored fund agreement● Inequitable/improper award of merit pay/ service award● Not correctly tracking vacation● Not correctly tracking sick time
Compliance Risk Area Specific Compliance Risks
IV. CODES OF ETHICAL CONDUCT
• Specific recommendation of NACUBO– Adopted– Senior Administration– Acknowledge receipt in writing
• Variety of approaches– Individual departments (purchasing,
accounting, internal audit– All Finance and Administration– Entire University
V.EDUCATION, TRAINING & PROMOTION OF RESPONSIBLE CONDUCT
• USSC Advisory Committee : Effective Training Involves
• Communication of standards, roles and responsibilities to all organizational agents involved in the activity
• Methods/means to motivate employees to comply• Compliance Education/Awareness program for
organizational leaders including Board (or Board Committee) and senior leadership
EDUCATION, TRAINING & PROMOTION OF RESPONSIBLE CONDUCT (cont.)
• Types/ Methods, Training and Education• On line training modules (with scored /un-scored tests)• Seminars, Presentations &Discussions• Certification Programs• Newsletters, List serves, E-Bulletins
• Certification Programs• External (PRIMR/CIP for IRB Professionals)• Home –Grown
– U. Minnesota : CAP Program– HMS ASPIRE Certification Program
• Testing & Certification Issues• Voluntary vs. Involuntary• Employment Issues (Notice, Job Description, Termination, Re-Assignment, Probationary
Periods)• Disability & Accommodation Issues• Test validity, reliability (Job-relatedness)• Employee morale &satisfaction Issues
• Content & Quality Issues• Content Development (Experts, Consultants?)• Home grown or purchased/licensed?• Readability, Reading Levels• General versus Institutional Specific• Job Relatedness • Feedback
EDUCATION, TRAINING & PROMOTION OF RESPONSIBLE CONDUCT (cont.)
• Tracking & Record Keeping
• Central vs. Local
• Employee Motivation & Morale
• Bonuses/Rewards for Completion of Voluntary Certification
• Awards & Recognition
• Negative Reinforcement (Fair and Consistent Discipline)
• Cooperation and Support of Managers
• Stanford Model http://ora-stanford.edu/cardinal/)
• “Cardinal Curriculum” (Modules developed through partnership of in-house education and training experts and subject matter experts)
• “STARS” centralized “training and registration system to track all training occurring in decentralized training environment”.
VI. WHAT IS A CONFIDENTIAL REPORTING MECHANISM?
• Any method available to employees and other constituents of a school or university which allow for anonymous reporting of problems or concerns
• Telephone• “Complaint” Box• Post Office Box• Internet
WHY SHOULD WE HAVE ONE?
• Tips to management are the leading method for detecting fraud
• Anonymous hotlines are a “key defense against management override of internal controls”
WHY SHOULD WE HAVE ONE?
“NACUBO recommends that institutions publicize the complaint mechanism and have it periodically reviewed by the audit committee. Institutions should incorporate the new complaint mechanism within existing human resource communication policies. Colleges and universities should also consider establishing hot lines, anonymous voicemail, and anonymous email or secure suggestion drop boxes to facilitate the complaint process.”
CONSIDERATIONS IN DESIGN OF SYSTEM
• In-house or outside vendor?• Voicemail issues• What areas or departments will be covered?• Available 24/7?• Ease of Use• Method of follow-up communications
POSSIBLE AREAS TO COVER
• Financial Matters• Athletics• Risk Management• Personnel• Research• Conflicts of Interest• Student Affairs
REPORTING LINE AWARENESS
• Critical to success and use of system• On-campus training• Briefings (Deans meetings, business partners,
School Chairs meetings)• Vendors, students, and other non-employees
RESPONDING TO THE REPORT
• Role of Internal Audit• Experience in coordinating with other offices
(General Counsel, Provost, Vice Presidents)
Example: BAYLOR UNIVERSITY’S WEBSITE
• Launched September 2004 at request of Board• Best “return” has been in the risk-management
area• Internal Audit serves as “traffic-cop”• Disclosure to Board’s Audit Committee• EthicsPoint is outside vendor (also provide
telephone hotline)
VII: Pre-employment Screening
• “Due diligence” in hiring trustworthy employees• General Issues/suggestions
– Base checks on University activities, not job class (e.g. not “faculty”; yes “U who drive as part of regular duties, which may include faculty; not “accountants”; yes those who handle “cash”)
– Consider scope and value: how often, how broad, what to check
• Credentials? Licenses? Degrees?• Once or more often (e.g. convictions during employment)
• NACUA has many resources on this! Use these.
VIII. AUDITING, MONITORING & TRENDING
• Sentencing Guidelines & USSC Advisory Committee
Recommendations
• Two components: (1) Traditional Auditing and Monitoring to review/assess adherence to applicable laws, regulations and policies, and (2) Periodic evaluation of the effectiveness of the compliance program itself.
• Auditing and Monitoring efforts should be tied to (driven by) results of the risk assessment process. Activities with greatest risk should normally be highest audit priority.
AUDITING, MONITORING & TRENDING (cont)
• Audits• Regular Audit Department Activities
– A-133 Audits Sponsored Programs– Department Audits
• Specialized Audit Programs– Clinical Research & IRB Audits– IACUC Post- Approved Audits
• Monitoring • Real – Time Observation (e.g. Clinical Research, Informed
Consent Process)
• Sources of “Trending Information”• A-133 Audit• Hotline/Helpline Reports• Info from meetings, presentations, focus group discussions• Noncompliance Events• Employee Surveys
IX. REPORTING & CORRECTIVE ACTION
• Encouraging reporting of noncompliance (Code of Conduct, Hotline, Whistleblower & Non-Retaliation Policies, Training)
• Have clear policies and procedures regarding required reporting to regulatory agencies and other third parties (accreditors, contract partners)
• Establish and follow (escalating) sanction policies
• Establish and follow procedures for communications with managers/supervisors and appropriate institutional officials (Department Chairs, Deans) about noncompliance events.
ROLE OF LEGAL COUNSEL
• Perhaps some or all of the above?• Provide legal advice and “final word” on all legal
questions• Serve as “Subject Matter Experts” in various
areas.• Interpret/Assess external enforcement and
liability environment• Lead/Assist with investigations• Assist with risk assessments, gaps analyses,
possibly under attorney –client privilege• Policy drafting and implementation• Assist with training• General problem-solving
Questions or Comments