500 likes | 725 Views
Compliance Office Responsibilities. Make compliance a part of everyday activities of the institution Monitor the various compliance program activities Communicate with the chief executive officer and others regarding compliance program activities Establish a compliance function.
E N D
Compliance Office Responsibilities • Make compliance a part of everyday activities of the institution • Monitor the various compliance program activities • Communicate with the chief executive officer and others regarding compliance program activities • Establish a compliance function
Making Compliance a Part of Everyday Activities • Awareness communication avenues • Risk-based plan and compliance manual • Training tools and delivery mechanisms • Monitoring plans and assurance processes • Confidential reporting mechanism • Reporting procedures
Monitor Compliance Program Activities • Training • “A” list risk monitoring plans • Non-compliance • Program
Communicate with Executive Management • Instances of non-compliance that require executive action • Risk-based plan • Monitoring activities • Compliance Committee meeting minutes • Compliance program self-assessment
Four Elements required for Managing Compliance “A” Risks • Responsible party • Monitoring plan • Specialized training plan • Reporting plan Each high risk must have all 4 elements.
Responsible party must exhibit each of the following: • Exclusive responsibility for managing the risk • Knowledge to manage the risk • Authority to manage the risk
Specialized Training Plan Identifies— • Who is trained • Level of knowledge transferred • Frequency of training • Provider of training
Reporting Plan should include: Activity to be reported —Supervisory control activities detailed in monitoring plan —Training activity detailed in training plan Items to be reported for each activity, such as number of transactions examined or number of employees trained Frequency of reporting for each activity Who receives the report for each activity
Supervisory control activities to be reported: • The number or percentage of execution events or transactions in the universe and number examined • The number or percentage of execution events or transactions that failed the control attribute • The identified causes of failure • The action taken to mitigate repetitive failure • The need for process improvement • The need to escalate the consequence of non-compliance to mitigate repetitive non-compliance
Examples: • Number of purchase contracts reviewed from the universe of contracts • Number of purchase contracts that did not satisfy the competitive bidding process • Identified causes of failure - such as, personal preference of requestor • Action taken - such as, provided training to all buyers • Process changes - such as modify computer program to include RFP# and Award Designation • Second instance for requestor - need to remove budget spending authority
Compliance Committee Purpose • To provide the senior executive level decision-making function for the compliance program
Compliance Committee Duties and Responsibilities • Provide guidance and direction including policy decisions • Allocate resources • Ensure that appropriate action is taken for instances of non-compliance
Compliance Committee Composition • Size • Management Level • Line Management v. Staff Management
Compliance Committee Support Mechanisms • Compliance Function • Compliance Coordinator and staff • Monitor & assist high risk responsible parties • Perform training and risk assessment • Working Group • High risk area representatives • Perform specific tasks, as assigned by the compliance officer, that would normally be performed by the compliance function staff
Collaborative Assurance Philosophy • Risk Management is the responsibility of every employee • Risk Management Assurance is provided by all levels of the organization • A Risk Self-Assessment is the basis for all risk management and risk management assurance activities
Risk Management Components • Define a common risk management process • Assess Risk • Manage Risk • Learn and renew Make risk management a part of everyday activities
Risk Self-AssessmentThe Tool 1. Identify Goals and Objectives 2. Convert to Activities or Processes 3. Inventory Risks 4. Measure Risks 5. Prioritize Risks
Goals and Objectives • Strategic Plan • Annual Operating Plans • Work Unit Goals and Objectives
1. Establish Organization Objectives 2. Assess Risk 3. Choose Mitigation Strategy A. Identify B. Measure C. Prioritize Assessing Risks
BrainstormingThe Technique • People involved in the process or activity • Identify activities performed to achieve goals and objectives • Inventory risks associated with each activity
Mitigation Strategies • Accept - no mitigation • Avoid - do not do the activity • Transfer - contract out/manage contract • Control - internal mitigation actions • Exploit - do something else
What is It? A model of both periodic and on-going assurance regarding the management of risks.
What are its Benefits? • Governance Benefits • Appropriate Assurance on all Risks • Fewer Surprises • Management Benefits • Real-time assessment • Ownership • Internal Audit Benefits • Increased Coverage • Value-added effort
Assurance Continuum Model for the 21st Century Collaborative Assurance (Governance and Management Control Processes) I----------I Periodic Assurance I----------I (Governance Control Processes) I------------ On-going Assurance ------------I (Management Control Processes) Internal Audit Controls Internal Audit Controls Execution Controls Supervisory Controls Oversight Controls Pre-operations design review of on-going assurance During execution of event or transaction Immediately after execution of event or transaction Soon after execution of event or transaction Post-operations audit of execution of on-going assurance
Levels of Internal Control Involvement In Process ITEMSAFFECTED None Isolated Items Internal Audit Little Exception Reports Some Sample of Transactions Oversight Controls Totally Supervisory Controls Every Transaction Execution Controls UT System Audit Office David B. Crawford 07/28/99 Real Time Soon After Periodically Annually TIME
Execution Controls(Operating Controls) • Embedded in day-to-day operations • Policies and procedures • Segregation of Duties • Reconciliations/Comparisons • Performed on every event/transaction • Performed by the generators of the event/transaction • Performed in ‘real time’, as the event/transaction is executed
Supervisory Controls(Monitoring Controls) • Re-application of operating controls • Supervisory Review; Quality Assurance; Self Assessment • Performed very soon after the generation of the event/transaction • Performed by line management or staff positions who do not originate the event/transaction • Performed on a sample of the total number of events/transactions
Oversight Controls(Executive Controls) • Exception reports, status reports, analytical reviews, variance analysis • Performed by representatives of executive management • Performed on information provided by supervisory management • Performed within a short period (weeks/months) after the event/transaction is originated
Internal Audit Controls(Governance Controls) • Audit of the design of controls not the operation of controls • Performed either before the event/transaction is originated or long after • Performed by staff with no involvement in the operations • Performed on individual events/transactions for discovery only
Operational ExamplesLevels of Control in the COSO Model (LOCs)
Managing Risk • Use the Risk Management Plan • Assign Responsibility • Risk Management Responsibility • Oversight Control Responsibility • Develop the following plans: • Monitoring • Specialized training • reporting • Pre-defined set of consequences for non-compliance with risk management plan
Monitoring Plan • Execution Controls • Supervisory Controls • Oversight Controls
Specialized Training Plan • Knowledge required to manage risk • Who needs that knowledge • How to transfer knowledge • How to measure effectiveness of transfer
Collaborative Assurance:Learning and Renewing • Gap analysis and Action Plans • “Play it again Sam!”
Gap Analysis and Action Plans • Self-assessments • Supervisory Controls • Oversight Controls • Internal Auditing
Play It Again Sam! General Purpose Process (A - E) Detailed Process (1 - 9) B. Identify Risk Areas C. Assess Risk A. Objectives E. Learning D. Risk Response (Source: Adapted from TBS Integrated Risk Management Framework)