620 likes | 1.01k Views
2006 ACUA Midyear Seminar Compliance Track Presented by: April 10-12, 2006. Charles Chaffin Jane Youngers Pete Carlon David Givens Amy Barrett Kimberly Hagara Michael Charlton Paige Buechley Lisa Blazer Paul Pousson Dick Dawson. Compliance Track Agenda . Day 1
E N D
2006 ACUA Midyear Seminar Compliance Track Presented by: April 10-12, 2006 Charles Chaffin Jane Youngers Pete Carlon David Givens Amy Barrett Kimberly Hagara Michael Charlton Paige Buechley Lisa Blazer Paul Pousson Dick Dawson
Compliance Track Agenda • Day 1 • Compliance fundamentals • High compliance risk areas • Environmental Health and Safety • Day 2 • Research • NCAA • Day 3 • Student Financial Aid • Other high compliance risk areas • Wrap-up and Enterprise Risk Management
The Fundamentals of Compliance in Higher Education Presented by: Charles G. Chaffin, CPA, CIA Director of Audits and System-wide Compliance Officer The University of Texas System April 10, 2006
Outline • What is Compliance? • Compliance Fundamentals • Audit’s Value in Compliance • High Risk Areas
Who we are • ~90,000 employees • 183,000 students (3K to 50K per campus) • $31.9 billion total assets • $19.3 billion portfolio under management • $9.6 billion annual operating budget • $5 billion dollar construction program • >$1.5 billion dollars in annual research funds • 2.1 million acres in West Texas, nearly 10,000 producing wells • Major Research Programs, NCAA Programs • 6 Physician Practice Plans, 4 Hospitals
U.T. Arlington U.T. Austin U.T. Brownsville U.T. Dallas U.T. El Paso U.T. Pan American U.T. Permian Basin U.T. San Antonio U.T. Tyler U.T. Southwestern Medical Center at Dallas U.T. Medical Branch at Galveston U.T. Health Science Center at Houston U.T. Health Science Center at San Antonio U.T. M.D. Anderson Cancer Center U.T. Health Center at Tyler UT System Institutions
What is Compliance? • Compliance is focused on ensuring that an entity operates within the boundaries of all applicable laws, rules, policies and regulations governing higher education institutions (internal and external) • Compliance is critical to avoid monetary loss/penalties, loss of funding, damage to reputation, and demands on executive time • An effective compliance program should result in fewer surprises through early detection of non-compliance and fraud
What is Non-compliance? • “The University of Connecticut will pay $2.5 million to settle allegations it filed false grant applications and overbilled the government for research” – Jan ’06 • “The University of South Florida has fired three employees after it found $275,000 in misplaced checks and cash in their office” – Jan ‘06 • The U.S. attorney delivered an ultimatum to the troubled University of Medicine and Dentistry of New Jersey telling its governing board to accept a federal takeover of the school's financial operations or face criminal prosecution that could shut it down – Dec ‘05 • “double billing Medicare and Medicaid by at least $4.9 million” • “The University of Medicine and Dentistry of New Jersey improperly awarded more than $16 million in contracts last year without competitive bidding” • American University excessive compensation, travel and personal expenses • “ITT Educational Services Inc. agreed to pay $725,000 to settle a lawsuit in which employees charged that the higher education company had inflated students’ grade point averages so they qualified for more financial aid from the State of California.”
UT System Non-compliance • UTPA – Forgery - $250,000 – 1991 • UT Austin – Fictitious Vouchers - $800,000 – 1994 • Several Institutions – IRS issues - $1 Million – 1992-1994 • UT Austin – Illegal Drugs in Chemistry Department – 1994 • Medical School – Medicare Billing - $17 Million – 1997 • UTMB Galveston – Human Subjects – closed research - 2000
Compliance vs. Audit Programs • Compliance works with the business units to maximize compliance with applicable laws, rules, regulations, policies and procedures • Compliance functions are generally embedded in the business function and are part of the control structure • On-going, daily assurance • Audit is an independent, objective assurance and consulting activity designed to add value by evaluating the control structure • Periodic and after the fact assurance
Elements of a Successful Compliance Program • For an organization to have an effective compliance program, the following elements are required: 1. Existence of written standards 2. Effective oversight 3. Due care in delegation of authority 4. Training 5a. Monitoring and auditing to detect non-compliance 5b. Provide and publicize a system to report non-compliance 6. Standards consistently enforced through appropriate discipline 7. Corrective action once offense has occurred to prevent future similar instances Note: From the United States Federal Sentencing Guidelines, 1991
Implementing an Effective Institutional Compliance Program • Definition: An Institutional Compliance Program is one that encompasses your entire university • Must have one within Athletics • And within the Safety Program • The Institutional Compliance Program joins it all together, creating a situation in which one individual is held accountable by the president
Implementation of an Effective Institutional Compliance Program (cont’d) • Building the Infrastructure • Creating Compliance Awareness • Managing Critical Risks • Appraisal and Renewal
A. Building the Infrastructure • TIME and RESOURCES required • Driven by the size and overall complexity of your institution • Convincing your institution to fund and/or staff the program • Specific tasks • Appoint a COMPLIANCE OFFICER • Current executive or a new position, Full-time or part- time • Attorney, Auditor, Business Officer • Appoint a COMPLIANCE COMMITTEE • Executive – President’s Cabinet • Working Committee – High Risk Area Department Heads (H.R. Director, Safety Officer, etc.) • Establish a COMPLIANCE FUNCTION/OFFICE • Full-time staff or slice of current staff time • Housed in the legal, audit, business affair’s office, or it can stand alone
A. Building the Infrastructure - Compliance Office Responsibilities • Compliance Office responsibilities • Make compliance a part of everyday activities of the institution • Monitor the various compliance program activities • Communicate with the chief executive officer and others regarding compliance program activities • Establish a compliance function
A. The Infrastructure • Compliance Officer • Compliance Committee • Compliance Function/Office • Institutional Community Imbued with Ethical Culture
B. Creating Compliance Awareness • Compliance Awareness = An Institution Imbued with Ethical Culture • From the bottom up, include everyone • Develop a Standards of Conduct Guide (Code of Conduct) • Develop a General Compliance Training Program • Face – to – face • Web-based • Articles and emails • Establish a confidential reporting mechanism (Compliance Hotline) • Third Party Vendor • In-house Legal or Audit • Email
C. Managing Critical Risks • Risk ASSESSMENT Process • Identify risks to achieving the goals and objectives of the institution: • Probability of Occurrence • Potential Impact Related to Occurrence • Identify the SHOW-STOPPERS
C. Managing Critical Risks -Risk Assessment Matrix BEST PRACTICES Objective/Activity Risk & Exposure Rank BeforeControls Rank After Controls Potential Impact Prob.OfOccur. Mitigation Strategy Operating Controls Monitoring Controls Oversight Controls I/A Controls HML HML HH HM HL MH MM HML Avoid Accept Transfer Control
C. Managing Critical Risks (cont’d) • Determine risks that are organization critical: • Medicare Billing Rules (fines) • Research Time and Effort Reporting (fines) • Research Human Subjects (suspension) • Research Medical Billing (fines) • Lab Safety (injury) • Fire (injury and death) • Athletic Recruiting (loss of scholarships) • Athletic Boosters (loss of scholarships) • Sexual Harassment (very bad) • Endowment Spending (repay endowment)
C. Managing Critical Risks (cont’d) • Risk MANAGEMENT Process for “A” risks • Single High-Level Responsible Party • Dean or Provost, VP of Research or Business, HR Director • Knowledge and authority to manage risk • Specialized Training Plan • Risk Specific – For whom, what knowledge, frequency, by whom • Monitoring Plan • How do you know if you are following the rules? • Reporting Plan • Report Cards to Compliance Officer and/or President, corrective action • What activity and items to be reported, frequency, for whom
C. Managing Critical Risks - Monitoring Plan Monitoring plans Every step in a monitoring plan should already exist in the policies and procedures that manage the risk The monitoring plan serves as the criteria for all types of assurance services The monitoring plan for high risks must include Level 1, Level 2, and Level 3 controls The monitoring plan must indicate the documentation that is created by each level of control
Involvement In Process ITEMSAFFECTED Levels of Internal Control None Isolated Items Little Exceptions, status Some Level 4 – I/A Sample of Transactions Totally Level 3 - Oversight Level 2 - Supervisory Every Transaction Level 1 - Execution UT System Audit Office David B. Crawford 07/28/99 Real Time Soon After Periodically Annually TIME
Assurance Continuum Model for the 21st Century Collaborative Assurance (Governance and Management Control Processes) I----------I Periodic Assurance I----------I (Governance Control Processes) I------------ On-going Assurance ------------I (Management Control Processes) Level 4 Controls Level 1 Controls Level 2 Controls Level 3 Controls Level 4 Controls Pre-operations design review of on-going assurance During execution of event or transaction Immediately after execution of event or transaction Soon after execution of event or transaction Post-operations audit of execution of on-going assurance
C. Managing Critical Risks - Monitoring Plan • Execution or Operating Controls (Level 1) • Policies and procedures, data integrity, segregation of duties • Embedded in day-to-day operations and performed by generators of events • Performed on every event/transaction in real time • Monitoring plan will include a definition of the documentary evidence created to support the application of the operating controls • Supervisory or Monitoring Controls (Level 2) • Supervisory review of operating controls to be performed • Performed by line management or staff positions not originating the event • Performed on sample of total events soon after the event/transaction • Monitoring plan will include a definition of the documentary evidence created to support the application of the supervisory controls
C. Managing Critical Risks -Assurance Activities • Oversight Controls (Level 3) • Exception reports, status reports, analytical reviews, variance analysis • Performed by representatives of executive management not part of day-to-day operations on information provided by supervisory management • Performed weeks to months after event/transaction originated • Examples include compliance inspection • Audit Controls (Level 4) • Performed by staff with no involvement in the operations • Performed weeks to months after event/transaction originated • Examples include Internal/External audits of high-risk area or compliance program, peer reviews
Level of Execution Supervisory Oversight I/A Assurance Controls Controls Controls Controls Provided Perform ed Performed Performed Performed by by by by Optimal Management Management Management Internal Audit Acceptable Management Management Internal Audit Internal Audit Marginal Management Internal Audit Internal Audit Internal Audit Unacceptable Internal Audit Internal Audit Internal Audit Internal Audit Unacceptable Management Management Management Management Collaborative Assurance Model
Assurance Strategy Provided by Provided On Provided For Certification Responsible Party Responsible Party Compliance Officer Inspection Compliance Responsible Party Compliance Officer Function & Chief Executive Officer (C EO) Agreed Upon Internal Auditing Responsible Party Compliance Officer Procedures Design Audit Internal Auditing Compliance Officer CEO & Governance Information Internal Auditing Responsible Party & CEO & Governance Validation Audit Compliance Function External Peer External peer Responsible Party Compliance Officer Review (in lieu of review team of compliance subject matter oversight) experts External Peer External peer Responsible Party & CEO & Governance Review (in lieu of review team of Compliance Internal Auditing subject matter Function information audit) experts External Peer External peer Compliance Officer, CEO & Governance Review (of the review team Compliance compliance Function and the program) Compliance Committee Other External Accreditation Team Responsible Party Compliance Officer, Assu rance External Auditors CEO, & Providers Regulators Governance Assurance Strategies Matrix
D. Appraisal and Renewal • Addressing instances of non-compliance • On-going assurance regarding the management of mission critical risks • Certifications • Inspections • Peer Reviews • Agreed-upon Procedures • Audits (design and/or information validation) • Periodic assessment of the Compliance Program • Self-assessment • External Peer Review • Renewal • (Action Plan based on periodic assessment)
Benefits of Effective Compliance Program • Reduction in NEGATIVE PUBLICITY • Reduction in FINES and EXTERNAL AUDITS • Reduction in WORKERS’ COMP. CLAIMS • Safety Program Awards • Change in Organizational Culture • Established Basis for Enterprise-wide Risk Management and Accountability Program
Sharing What We Learned • How-to-do-it book: Effective Compliance Systems: A Practical Guide for Educational Institutions available from The Institute of Internal Auditors, Inc • Hosted: 4 National Conferences on Effective Compliance Systems/ERM in Higher Education March 2000; October 2002; April 2004; March 2006 in Austin, Texas • Hosted: Sarbanes-Oxley Conference October 2003 • Sharing: Presentations at ACUA and IIA conferences, at individual institutions of higher education, and to commercial organizations • Sharing: Major Research Institutions Compliance Group formed after 2nd Compliance Conference
Compliance and Audit • Compliance works with the business units to maximize compliance with applicable laws, rules, regulations, policies and procedures • Compliance functions are generally embedded in the business function and are part of the control structure • On-going, daily assurance • Audit is an independent, objective assurance and consulting activity designed to add value by evaluating the control structure • Periodic and after the fact assurance
Internal Audit Plays a Key Role in Developing a Compliance Program • Understands COSO • Experience in Risk Assessments • Know the Different Levels of Controls • Ability to Train • Audited Compliance Issues for Years
Compliance Audit Objectives • To provide assurance that an effectively designed compliance program for the high risk area has been implemented and is operating effectively • Are risk assessments taking place? • Are risk management plans in place for all high compliance risk areas? • Single high-level responsible party? • Specialized training provided to appropriate personnel, by appropriate content experts? • Monitoring plans in place and being executed for all high compliance risk areas? • Is the reporting structure operating? Corrective actions implemented? • Providing periodic assessment of the overall compliance program • To provide assurance that the institution is in compliance with policies, plans, procedures, laws, and regulations that could have a significant impact on operations and reports
When to audit The Compliance Office is responsible for conducting inspections of all the high risk areas, except for the ones for which they are responsible
Inspections Inspections • Inspection results: • Ready for audit - Internal Audit schedules the audit • Not ready for audit - The Compliance Office works with the responsible person and informs Internal Audit when the area is ready • Internal Audit performs the inspections on areas where the responsible party is in the Compliance Office
Audit Procedures • Leverage prior audits and/or other institution audit procedures within your system • Gain an understanding of the high risk area • Test the high risk area • Monitoring • Training • Reporting • Audit report to management
Gaining an Understanding • Review prior audits • Review policies and procedures relevant to the high risk area • Review the inspection report and any working papers prepared by the Compliance Office • Follow up on any recommendations made in the inspection report. • Review the Institutional Compliance Program manual for information relating to the high risk area, such as: • Risk Assessment • Assess for reasonableness, any changes, etc. • Compliance Program Operations Guide • Assess for reasonableness, completeness • Method of Monitoring • Interview the responsible person, others as considered necessary • Attend educational conferences highlighting high compliance risk areas (!)
Testing - Method of Monitoring • Determine if the responsible person is monitoring compliance as stated in the monitoring plan • Review documentation maintained by the responsible person to ensure that monitoring is being documented • Determine if monitoring plan appears reasonable. Is it measurable, sufficient to ensure compliance, etc. based on auditor’s understanding of the area?
Testing - Examples of Audit Tests of Monitoring Method of Monitoring: Supervisory review of journal entries by Manager of Financial Reporting. Audit procedure: Select a sample of journal entries to determine if Manager is reviewing and approving journal entries.
Testing - Training • Determine if training is being performed in accordance with the training plan • Review documentation, such as sign-in sheets, etc., to ensure that training is being performed • Determine if training plan appears reasonable, based on auditor’s understanding of the area. Is the population of employees specified? Do responsible persons receive training?
Testing - Reporting • Determine if reporting is being performed in accordance with the reporting plan • Review documentation, such as quarterly reports and compliance committee meeting minutes to ensure that reporting is being performed
Exit Conference First, an exit conference is held with the responsible person and any others deemed necessary to discuss potential findings and recommendations
Audit Report • Then, a report is drafted. When the responsible person is satisfied and the report has gone through appropriate levels of review, it is addressed to the President and given to the following: • Responsible person • Responsible person’s supervisor (Dean, VP, etc.) • Members of the Audit and Compliance Committee • Compliance Officer • Assistant Compliance Officer(s)