Auditing Compliance Up, Down, and Sideways · Auditing Compliance Up, Down, and Sideways Deena King...
Transcript of Auditing Compliance Up, Down, and Sideways · Auditing Compliance Up, Down, and Sideways Deena King...
9/8/2016
1
Auditing ComplianceUp, Down, and Sideways
Deena KingDirector of Compliance, TWU
IntroductionTWU, You, and the Agenda
9/8/2016
2
Public University
Founded in 1901“Girls Industrial College”
Located in TexasDenton 12,490 Dallas 1,431Houston 1,365Total: 15,286
About Texas Woman’s University
Part‐ and Full‐time Faculty/Staff: 1,325Adding GA, Adjunct, Students: 2,143 (as of 8‐1‐16)
Graduate/Undergraduate: 5,206/10,080
Women/Men (1972): 90%/10%
About Texas Woman’s University
“…the nation’s largest public university primarily for women.”
9/8/2016
3
Management Principle
Seek first to understand, then to be understood.‐ Stephen R. CoveyThe Seven Habits of Highly Effective People
About You: Survey1 – How many of you are new to compliance audit?
2 – How many of you are experienced with compliance audit?
3 – How many of you just did not want to go to another session?
9/8/2016
4
About You: Survey1 – Audit Committee?
2 – Chief Audit Executive?
3 – Director?
4 – Manager?
5 – Auditor/Sr. Auditor?
About You: SurveyIn your organization…
‒ Do you have an institutional ethics and compliance program?
‒ Is compliance separate from internal audit?
‒ Is compliance combined with internal audit?
9/8/2016
5
Compliance in Higher Ed
Compliance is not new to higher education. Some universities have had institutional compliance programs for over 20 years.
Agenda• Sideways
• Auditing “compliance”
• Up and Down• Three primary levels of internal controls
• Eight groups of internal controls required by the federal guidelines
• Putting it all together
• Popular management principles
9/8/2016
6
Auditing “Compliance”Sideways
Auditing “Compliance”Can internal audit provide reasonable assurance that our organization is “in compliance” with _________________?
EEO
OSHA
NCAA
PCI
ADA
Title IX
SOX
FLSA
DOE
HIPAA
FERPA
SEVIS
Research
Copyright
Tax
Clery
EPA
Etc. etc.
9/8/2016
7
Auditing “Compliance”• Discussion
• How do you design these compliance audit programs?
• Where do you go to find compliance audit templates?
• What is your audit standards?
Higher Education Compliance Alliance
• The Higher Education Compliance Alliance was created by the National Association of College and University Attorneys (NACUA) to provide the higher education community with a centralized repository of information and resources for compliance with federal laws and regulations.
• http://www.higheredcompliance.org/
• ACUA is a member of this alliance
9/8/2016
8
HECA Compliance Matrix• 37 Federal Compliance Areas• 262 Statutory Summaries• Summaries include:
• Topic (Area)• Statute• Regulations• Statutory Summary• Reporting Requirements & Deadlines
• Additional Resources• Reporting Deadlines
Topic (Area) Campus Safety
Statute Jeanne Clery Disclosure of Campus Security
Policy and Campus Crime Statistics Act
(Clery Act) and Violence Against Women
Act ‐ 20 U.S.C. § 1092(f)
Regulations 34 C.F.R. § 668.41(e) & 34 C.F.R. § 668.46
Statutory
Summary
Any institution that participates in federal
financial aid programs must collect
information with respect to campus crime
statistics and campus security policies of
the institution. The institution must
annually distribute to current students,
employees, and (upon request)…
Auditing ComplianceUp and Down
“Foundations”
9/8/2016
9
U.S. Sentencing Guidelines(aka “Federal Sentencing Guidelines” or FSG)
(emphasis added)
Compliance Programs: Overall RiskTo have an effective compliance and ethics program…an organization shall—
(1) exercise due diligence to prevent and detect criminal conduct; and
(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.
‐ USSG §8B2.1.a (emphasis added)
9/8/2016
10
Compliance Programs: Overall Risk
The prior diligence of an organization in seeking to prevent and detect criminal conduct has a direct bearing on the appropriate penalties and probation terms for the organization if it is convicted and sentenced for a criminal offense.
‐ Commentary on USSG §8B2.1, paragraph 7 (emphasis added)
Freeh Report, Penn State – 2012
9‐6‐13
…
9/8/2016
11
Compliance in ContextUp and Down
Control Levels & Control Types
• Organizational Hierarchy
• The “Seven Elements”
• Design AND Implementation
Compliance
9/8/2016
12
Typical Organizational Hierarchy
Governance
Management
Performance/Operational
Board
Executives;Directors
Managers;“Front Line”
Levels of Internal Control
Board:“The organization’s governing authority shall be knowledgeable…and shallexercise reasonable oversight…”
‐ USSG §8B2.1.b.2.A (emphasis added)
9/8/2016
13
Levels of Internal Control
Management:“High‐level personnel of the organization shall ensure that the organization has an effective compliance and ethics program.”
‐ USSG §8B2.1.b.2.B (emphasis added)
Levels of Internal Control
Operational:“Specific individual(s) within the organization shall be delegated day‐to‐ day operational responsibility for the compliance and ethics program.”
‐ USSG §8B2.1.b.2.C (emphasis added)
9/8/2016
14
Operational: A Broader View
Operational (Day‐to‐Day):‐ Compliance Director
‐ Compliance Managers
‐ Subject‐specific Compliance Partners‐ A Lot (HR, OSHA, ADA, etc.)
‐ A Little (Travel Study, etc.)
Internal Control PrincipleIIA’s “Three Lines of Defense”
• Control Objective:• Verify there are internal controls in place at all three levels
Operations
Management
Board
9/8/2016
15
Internal Control Principle
• COSO “Cube”
• Control Objective• Verify there are internal controls in place at all levels
The “Seven Elements”
The “Seven Elements” are fundamental internal controls for effective compliance programs, up
and down
9/8/2016
16
The “Seven Elements”1. Written standards, policies, and procedures.
2. Compliance “administration” ( i.e. a compliance officer, etc.).
3. Communications, training, and education.
4. Monitoring and auditing.
5. Reporting and investigation.
6. Enforcement and discipline.
7. Response and prevention.
The “Eight Steps” at TWU1
AKA “Internal Controls”
1. Identify Requirements/Assess Risk
2. Establish/ Modify Compliance Organization
3. Document Standards, Policies, and Procedures
4. Communicate Standards, Policies, and Procedures
5. Implement, Promote, and Enforce
6. Monitor, Audit, and Report
7. Continuous Improvement
8. Leadership/Corporate Culture
1 Adapted from Compliance in One Page ©2015. Used with permission.
9/8/2016
17
Rationale for the Modifications• Identify Requirements/Assess Risk
• Identify Requirements: A principle of accountability and program management
• Assess Risk: The organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement (USSG §8B2.1.c, emphasis added)
• Leadership/Corporate Culture• Governing authority shall be knowledgeable and shall exercise reasonable oversight (USSG §8B2.1.b.2.A, emphasis added)
• …an organization shall—…promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law (USSG §8B2.1.a.2 and §8B2.1.b, emphasis added)
Identify Requirements/ Assess Risk
Establish/Modify Compliance Organization
Document Standards, Policies, and Procedures
Communicate Standards, Policies, and Procedures
Implement, Promote, and Enforce
Monitor, Audit, and Report
TWU Compliance Process: The Model2
Leadership/Campus Culture
Continuous
Improvement
Disclaimer: This model is provided as guidance only and can be modified to meet your needs. This document does not guarantee prevention of lawsuits, judgments, or fines and is not a substitute for the advice of an attorney. All information is provided without warranty, express, implied, or otherwise, including as to their legal effect and completeness.
LawsRegulationsRegulators
2 Adapted from Compliance in One Page ©2015. Used with permission.
LawsRegulationsRegulators
9/8/2016
18
Internal Control Principle• The adoption of the “seven elements” from the FSG at governance, management, and by ALL major subject‐specific compliance programs helps infuse compliance internal controls into the culture and puts everyone on the same page
• Control Objective:• Verify the “seven elements” are used
as internal controls from top to bottom
9/8/2016
19
Management Principle
Give a man a fish, you feed him for the day; teach him how to fish, you feed him for a lifetime.
‐ Eastern ProverbAdapted by Stephen R. Covey in Principle‐Centered Leadership
Compliance Controls Two Ways
• Design AND Implementation
“[The organization’s] compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.”
‐ USSG §8B2.1.a.2 (emphasis added)
9/8/2016
20
Internal Control Principle
• “It is not enough to create a good compliance program on paper; the company must carry through to implement the program with effective accountability for compliance.”
‐ Para 16, FERC Compliance with Statutes, Regulations, and Orders (emphasis added)
• Control Objective:• Verify a compliance program is designed AND implemented
Auditing ComplianceUp and Down
RISK
9/8/2016
21
Risk Discussion
3 Levels 8 Internal Control Areas 2 Types1. Identify Requirements/Assess Risk
2. Compliance Organization Design
3. Document Standards, etc. AND
4. Communicate Standards, etc. Implementation
5. Implement, Promote, and Enforce
6. Monitor, Audit, and Report
7. Continuous Improvement
8. Leadership/Corporate Culture
60‐SecondStretch Break
9/8/2016
22
Putting it All TogetherUp and Down
CONTROLS TO LOOK FOR
Discussion
• Putting it all together
• Organizational Hierarchy
• The “Eight Steps”
• Design AND Implementation
Compliance
9/8/2016
23
Levels of Internal Control
• Board Oversight
• Institutional Compliance
• Operational Compliance• EEO
• OSHA
• FERPA
• Etc. etc.
Auditing Board Level Controls
• Discussion – Design & Implementation1. Identify Requirements/Assess Risk
2. Compliance Organization
3. Document Standards, etc.
4. Communicate Standards, etc.
5. Implement, Promote, and Enforce
6. Monitor, Audit, and Report
7. Continuous Improvement
8. Leadership/Corporate Culture
9/8/2016
24
Board Level Controls: Resources
• Association of Governing Boards of Universities and Colleges
• Welcome to Compliance U: The Board’s Role in the Regulatory Era
http://agb.org/trusteeship/2013/7/welcome‐compliance‐u‐boards‐role‐regulatory‐era
• SCCE Regional Conference, Dallas, December 2015• Training and Responsibilities, Marjorie Doyle, CCEP‐F
• Training the Board on ethics and compliance program responsibilities
Auditing Institution/Operations
• Internal Controls
• The “Eight Steps”
• Design AND Implementation
Note: The audit steps about to be discussed meet the requirement outlined in §8B2.1.b.5.B, “to evaluate periodically the effectiveness of the organization’s compliance and ethics program”
Scale &
Scope
9/8/2016
25
Management Principle
Concentrate on building an organization—building a ticking clock—rather than telling time...take an architectural approach and concentrate on building organizational traits…
‐ Jim Collins & Jerry Porras
Built to Last, pp. 199‐201 (paraphrased)
Identify Requirements/ Assess Risk
Establish/Modify Compliance Organization
Document Standards, Policies, and Procedures
Communicate Standards, Policies, and Procedures
Implement, Promote, and Enforce
Monitor, Audit, and Report
TWU Compliance Process: The Model2
Leadership/Campus Culture
Continuous
Improvement
Disclaimer: This model is provided as guidance only and can be modified to meet your needs. This document does not guarantee prevention of lawsuits, judgments, or fines and is not a substitute for the advice of an attorney. All information is provided without warranty, express, implied, or otherwise, including as to their legal effect and completeness.
LawsRegulationsRegulators
2 Adapted from Compliance in One Page ©2015. Used with permission.
LawsRegulationsRegulators
9/8/2016
26
• Legal Requirement:“…the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement…”
‐ USSG §8B2.1.c (emphasis added)
Assess Risk/ Identify Requirements
LawsRegulationsRegulators STEP 1
• Institutional Level• ID Requirements:
• Design
• Implementation
• Assess Risk:• Design
• Implementation
STEP 1Laws
RegulationsRegulators
Identify Requirements/Assess Risk
9/8/2016
27
Identify Requirements/Assess Risk
LawsRegulationsRegulators STEP 1
• Operational Level• ID Requirements:
• Design
• Implementation
• Assess Risk:• Design
• Implementation
• Legal Requirement:• “…governing authority shall be knowledgeable…and shall exercise reasonable oversight…”
• “High‐level personnel of the organization shall ensure the organization has an effective compliance and ethics program…Specific individual(s) within high‐level personnel shall be assigned overall responsibility for the compliance and ethics program…”
• “Specific individual(s) within the organization shall be delegated day‐to‐day operational responsibility…”
• “…exercise of due diligence…” ‐ USSG §8B2.1.b.2.A‐C & 3 (emphasis added)
Establish/Modify Compliance OrganizationSTEP 2
9/8/2016
28
Governing Authority
“Governing authority” means the (A) the Board of Directors; or (B) if the organization does not have a Board of Directors, the highest‐level governing body of the organization.
‐ Commentary, USSG §8B2.1
High‐level Personnel
“High‐level personnel of the organization” means individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization. The term includes: a director; an executiveofficer; an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest.
‐ USSG Commentary, §8A1.2 (emphasis added)
9/8/2016
29
Due Diligence
The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.
‐ USSG Commentary, §8A1.b.3 (emphasis added)
• Institutional Level• Organization
• Design
• Implementation
• Due Diligence
Establish/Modify Compliance OrganizationSTEP 2
9/8/2016
30
Establish/Modify Compliance OrganizationSTEP 2
• Operational Level• Organization
• Design
• Implementation
• Due Diligence
Centralized
http://compliance.ouhsc.edu/LinkClick.aspx?fileticket=nmblcMDq2GA%3d&portalid=61
University of Oklahoma
‐ Reports to OU General Counsel‐ Is over:
‐ IRB‐ Healthcare Billing‐ Radiation Safety‐ EHS‐ Disability
‐ Services:‐ Tech Support‐ Compliance QA‐ Ethics
9/8/2016
31
TWU Office of
Compliance
Higher Education Compliance Alliance
37 Federal Compliance
Areas
Decentralized
Management Principle
If we get the right people on the bus, the right people in the right seats, and the wrong people off the bus, then we’ll figure how ho to take it to someplace great.
‐ Jim Collins
Good to Great, p. 41
9/8/2016
32
• Legal Requirement:“The organization shall establish standards and procedures to prevent and detect criminal conduct.”
‐ USSG §8B2.1.b.2.A‐C & 3
Document Standards, Policies, and Procedures
STEP 3
• Institutional Level• Standards
• Design
• Implementation Document Standards, Policies, and Procedures
STEP 3
• Policies• Design
• Implementation
9/8/2016
33
Document Standards, Policies, and Procedures
STEP 3• Operational Level• Policies
• Design
• Implementation
• Procedures• Design
• Implementation
• Legal Requirement:“Communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals by conducting effective training programs and otherwise disseminating information.”
‐ USSG §8B2.1.b.2.A‐C & 3
Communicate Standards, Policies, and Procedures
STEP 4
9/8/2016
34
Communicate Standards, Policies, and ProceduresSTEP 4
• Institutional Level• Communication
• Design
• Implementation
• Training• Design
• Implementation
Communicate Standards, Policies, and ProceduresSTEP 4
• Operational Level• Communication
• Design
• Implementation
• Training• Design
• Implementation
9/8/2016
35
• Legal Requirements:
[The organization’s] compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.
The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization.
‐ USSG §8B2.1.a.2 & b.6 (emphasis added)
Implement, Promote, and Enforce STEP 5
• Institutional Level• Implement
• Design
• Implementation
• Promote• Design
• Implementation
Implement, Promote, and Enforce
• Enforce• Design
• Implementation
STEP 5
9/8/2016
36
• Operational Level• Implement
• Design
• Implementation
• Promote• Design
• Implementation
Implement, Promote, and Enforce
• Enforce• Design
• Implementation
STEP 5
Management Principle
Sustained great results depend upon building a culture full of self‐disciplined people who take disciplined action.
‐ Jim Collins
Good to Great, p. 143 (emphasis added)
9/8/2016
37
• Legal Requirement:Ensure that the organization’s compliance and ethics program is followed; monitoring and auditingto detect criminal conduct; Evaluate periodically the effectiveness of the organization’s compliance and ethics program; publicize asystem…whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct.
‐ USSG §8B2.1.b.5.A‐C
Monitor, Audit, and Report
LawsRegulationsRegulators
STEP 6
• Institutional Level• Monitor
• Design
• Implementation
• Audit• Design
• Implementation
• Program Evaluation• Design
• Implementation
Monitor, Audit, and Report
LawsRegulationsRegulators
STEP 6
9/8/2016
38
Monitor, Audit, and Report
LawsRegulationsRegulators
STEP 6• Operational Level
• Monitor• Design
• Implementation
• Audit• Design
• Implementation
• Program Evaluation• Design
• Implementation
Management Principle
Facts are better than dreams…[When] you start with an honest and diligent effort to determine the truth of the situation, the right decisions often become self‐evident…You absolutely cannot make a series of good decisions without first confronting the brutal facts.
‐ Jim Collins
Good to Great, p. 69, 70
9/8/2016
39
• Legal Requirement:“After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal
STEP 7Continuous
Improvement
conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program…
“[T]he organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to…modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.”
‐ USSG §8B2.1.b.7 & c (emphasis added)
• Institutional Level• Continuous Improvement
• Design
• Implementation
STEP 7
Continuous
Improvement
9/8/2016
40
STEP 7Continuous
Improvement
• Operational Level• Continuous Improvement
• Design
• Implementation
• Legal Requirement:“Promote an organizational culturethat encourages ethical conduct and a commitment to compliance with the law…”
‐ USSG §8B2.1.a.2 and §8B2.1.b
(emphasis added)
Leadership/Campus Culture
“Lead with Integrity”
STEP 8“…governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight… Specific individual(s) within high‐level personnel shall be assigned overall responsibility for the compliance and ethics program…”
‐ USSG §8B2.1.b.2.A‐B (emphasis added)
9/8/2016
41
• Institutional Level
• Leadership• Design
• Implementation
• Campus Culture• Design
• Implementation
Leadership/Campus Culture
“Lead with Integrity”
STEP 8
• Organizational Level
• Leadership• Design
• Implementation
• Campus Culture• Design
• Implementation
Leadership/Campus Culture
“Lead with Integrity”
STEP 8
9/8/2016
42
Identify Requirements/ Assess Risk
Establish/Modify Compliance Organization
Document Standards, Policies, and Procedures
Communicate Standards, Policies, and Procedures
Implement, Promote, and Enforce
Monitor, Audit, and Report
TWU Compliance Process: The Model2
Leadership/Campus Culture
Continuous
Improvement
Disclaimer: This model is provided as guidance only and can be modified to meet your needs. This document does not guarantee prevention of lawsuits, judgments, or fines and is not a substitute for the advice of an attorney. All information is provided without warranty, express, implied, or otherwise, including as to their legal effect and completeness.
LawsRegulationsRegulators
2 Adapted from Compliance in One Page ©2015. Used with permission.
LawsRegulationsRegulators
Putting it All Together
• Review
• Organizational Hierarchy
• The “Eight Steps”
• Design AND Implementation
Compliance
9/8/2016
43
Summary: Institutional Design• ID Requirements/Assess Risk
• Inventory ID and Update Process• Regular Risk Assessment
• Organization• Org Charts• Documented roles and responsibilities• Background checks
• Documentation• Process for designing/updating
standards, policies, procedures, programs, and plans
• Communicate• Communication Plan• Training Plan
• Implement, Promote, Enforce• Action Plan(s)• Awards Program, Contests, etc.• Enforcement Process
• Monitor, Audit, Report• Audit Plan(s)• Monitoring Plan(s)• Program Evaluation Schedule• Reporting as needed
• Continuous Improvement• Plans to remediate and correct
• Leadership/Culture• Surveys, Training, Communication, etc.
Summary: Institutional Implementation• ID Requirements/Assess Risk
• Compliance Inventory or Website• Risk Assessment Notes, Reports
• Organization• Positions are filled with qualified people• Evidence that roles and responsibilities
are fulfilled• Sample redacted background checks
• Documentation• Documented standards, policies,
procedures, programs, and plans
• Communicate• Evidence of Communication• Evidence of Training
• Implement, Promote, Enforce• Steps 1‐4 and 6‐8 have evidence• Sample promotion evidence• Sample enforcement actions
• Monitor, Audit, Report• Sample audit reports• Sample monitoring reports• Program Evaluation Report• Sample of reports to mgt and board
• Continuous Improvement• Evidence of remediation, corrections
• Leadership/Culture• Evidence of leadership and culture
9/8/2016
44
Summary: Operational Design• ID Requirements/Assess Risk
• Inventory ID and Update Process• Regular Risk Assessment
• Organization• Org Charts • Documented roles and responsibilities• Rely on HR background checks
• Documentation• Process for designing/updating
standards, policies, procedures, programs, and plans
• Communicate• Communication Plan• Training Plan
• Implement, Promote, Enforce• Action Plan(s)• Awards Program, Contests, etc.• Enforcement Process
• Monitor, Audit, Report• Self‐Audit Plan(s) and external/internal• Self‐Monitoring Plan(s)• Program Evaluation Schedule• Reporting as needed
• Continuous Improvement• Plans to remediate and correct
• Leadership/Culture• Surveys, Training, Communication, etc.
Summary: Operational Implementation• ID Requirements/Assess Risk
• Compliance Inventory or Website• Risk Assessment Notes, Reports
• Organization• Positions are filled with qualified people• Evidence that roles and responsibilities
are fulfilled• Evidence background checks were done
• Documentation• Documented standards, policies,
procedures, programs, and plans
• Communicate• Evidence of Communication• Evidence of Training
• Implement, Promote, Enforce• Steps 1‐4 and 6‐8 have evidence• Sample promotion evidence• Sample enforcement actions
• Monitor, Audit, Report• Sample self‐audit, external/internal reports• Sample self‐monitoring reports• Program Evaluation Report• Sample of reports to mgt and board
• Continuous Improvement• Evidence of remediation, corrections
• Leadership/Culture• Evidence of leadership and culture
9/8/2016
45
Online Resources
• http://www.twu.edu/general‐counsel/compliance‐information.asp
• TWU Compliance Program• TWU Compliance Guide
• http://www.twu.edu/general‐counsel/14293.asp• Basic Compliance Audit Program
• Covers all the “up/down” steps we just discussed
• Compliance Surveys• Items for TWU Compliance Partners• Etc.
Questions/CommentsIf Time Permits
9/8/2016
46
Thank you!
Auditing ComplianceUp, Down, and Sideways
Deena KingDirector of Compliance, TWU