1. �The University of Texas System�The Fifth Conference�Effective Compliance Systems in Higher Education��June 5, 2007���Reporting: Duties & Responsibilities of a Compliance Officer and Area Responsible Parties Rick Moyer
Executive Director, Internal Audit and Institutional Compliance
Stanford University and Hospitals
2. Agenda Stanford Facts/Overview
Institutional Compliance Coordinating Committee
Committee on Management Control and Compliance
Reporting to Board of Trustees
Assessment Process
STARS
Compliance Helpline
Next Steps
Questions
3. Stanford Facts/Overview
4. Major Components of Stanford Stanford University
Stanford Hospital and Clinics
Lucile Packard Children’s Hospital
Stanford Management Company
Stanford Linear Accelerator Center
5. Stanford Facts Total Consolidated Revenues – FY06 $4.5B
Total Revenue – University – FY06 $2.9B
Total Revenue – Hospitals – FY06 $1.6B
Sponsored Research – FY06 $994M
Total Gifts – FY06 $911M
Endowment – end of FY06 $14.1B
Total Assets – Consolidated – FY06 $24.7B
Undergrad Enrollment – Oct 2006 6689
Grad Enrollment – Oct 2006 8201
Faculty – Oct 2006 1418
Nobel Laureates 18
NCAA Directors Cups 12
6. Institutional Compliance Program�Brief History Planning Committee formed in 2000
Implementation plan approved by President and Audit Committee in Fall 2001
January 2002 – first meeting of Compliance Coordinating Committee (19 original areas represented)
Original Program Goals
Coordinate the University’s compliance assurance activities
Ensure the institutional perspective is always present
Assess existing programs against Federal Sentencing Guidelines
Implement “early warning” program for emerging compliance issues
Carry out specific compliance support activities
Taking on direct compliance responsibility and creating a new bureaucracy were “outside the scope”
7. Stanford University Internal Audit and Institutional Compliance Vision
To be a valued partner and advisor to management, faculty, and the Audit and Compliance Committee of the Board of Trustees
Mission
To assist University management and the Stanford Board of Trustees in identifying, avoiding, and where necessary, mitigating risks.
Charter
“The Department is responsible for examining and evaluating the adequacy and effectiveness of the systems of internal control (…) and
procedures for financial and compliance monitoring and reporting.”
The Executive Director of Internal Audit shall have the authority to make specific reports directly to the President (…) and shall have direct access to the Committee on Audit and Compliance.
8. Institutional Compliance Coordinating Committee�Stanford University�
9. ICCC Members EH&S
Hospital Compliance Officer
Office of Dean of Research
Office of Research Administration
Director of Research Compliance
Human Resources
Office for Campus Relations
Diversity and Access Office
Disability Resource Center
Dept. Athletics, PE, Recreation
Controller
Office of Development
School of Medicine
Office of Technology Licensing
SPCTRM
SMC – CFO
SLAC
Registrar
Office of General Counsel
ITSS
Office of Dean of Admissions and Financial Aid
Department of Public Safety
Procurement
University Architect & Planning
Risk Management
Internal Audit and Institutional Compliance
10. ICCC Topics – Stanford University Sexual Harassment
HIPAA Security
New Policy Updates
Human Research Protection Program
Institutional Conflict of Interest
Recent Compliance Developments
Receipt and Solicitation of Gifts from University Vendors
Revised Internal Audit Departmental Compliance Program
Basics of Communicating with the Media
Time Accounting and Reporting for Non-Exempt Employees
11. ICCC Topics – Stanford University Export Controls
Tax Exempt Organizations and Political Activity
New California Law on Data Security Reqmts for Researchers
Emerging Compliance Issues in Research Administration
Stanford/Packard Center for Translational Medicine (SPCTRM) Overview
Gift-Grant Policy Task Force
EH&S Occupational Health Center
Human Embryonic Stem Cell Research
Annual Risk Assessment
12. ICCC Risk Assessment – Top 10 Insufficient enforcement of underage drinking laws
Possible IRS audit of our responsible use of University unrestricted funds
Inadequate observance of University policies on timeliness and justification of expense transfers
Lack of expertise in employees with compliance responsibilities
Undisclosed financial relationships between faculty and outside businesses
Lack of emergency preparedness – SU, hospitals, and SoM
Inaccurate faculty effort reporting and related monitoring
Insecure storage of restricted data
Lack of an adequate research administration support system
Use of restricted gifts in compliance with donor restrictions
13. ICCC Subcommittees OFAC
Private Use and Tax Exempt Bonds
Postdoctoral Affairs
Expense Reimbursement Policy
Accessible Technology
Code of Conduct
Information Security and Privacy
Staff Conflict of Interest and Commitment
SEVIS
Institutional Training
14. Committee on Management Control and Compliance�Stanford Hospitals
15. CMCC Members - SHC Chief Operating Officer (Chair)
Chief Compliance and Privacy Officer
Chief Information Officer
Chief of Staff
Chief Hospital Counsel
Chief Risk Officer
Chief Financial Officer
VP – Patient Financial Services VP – General Services
VP – Clinical Services
VP – Human Resources
VP – Ambulatory Care Services
VP – Laboratory Services
Director – Accreditation and Regulatory Affairs
Executive Director – Internal Audit and Institutional Compliance
16. CMCC Topics - SHC Industry Interaction Policy
Recovery Audit Contractor Results
Disaster Preparedness
Wrong Site Procedures
Clinical Trials Billing
Professional Fee Billing
Transplant Compliance
NPI Regulations and Compliance
Clinical Labs Compliance
Non-covered Services or Devices, Off-label and Product Recalls
ROI in Mental Health
Annual Risk Assessment
17. CMCC Risk Assessment Top 10 - SHC Clinical Trials
Professional Fee Billing
Disaster Preparedness
Clinical Labs – Adequacy and Compliance of Operations
EPIC System Implementation
CMS Engaged Recovery Audit Coordinator
Hospital Facility Fee Billing
Billing: Hybrid Model
Conflicts of Interest
Technical Infusion Center – Documentation and Coding
18. CMCC Members - LPCH Chief Operating Officer (Chair)
Chief Compliance and Privacy Officer
Chief of Staff
Chief Hospital Counsel
Chief Risk Officer
Chief Information Officer
Chief Financial Officer
Chief Medical Officer VP – Patient Financial Services
VP – Clinical Services
VP – Ambulatory Services
VP – General Services
VP, Human Resources
VP – Patient Care Services
Director Accreditation and Regulatory Affairs
Executive Director – Internal Audit and Institutional Compliance
19. CMCC Topics - LPCH Clinical Trials Budgeting Process
Industry Interactions Policy
Hybrid Model
Disaster Preparedness
Lab Governance and Operations
Transplant Issues
Clinical Trials Billing
Professional Fee Billing
National Provider Identifier
Medication Systems
IT Systems
LINKS Conversion Status and Emergency Protocols/Order Entry
Communications Systems
Employee Immunizations
Annual Risk Assessment
20. CMCC Risk Assessment Top 10 - LPCH Professional Fee Billing
Hospital Facility Fee Billing
IT Systems
Communication Systems
Employee Immunizations
Disaster Preparedness
Links System Conversion
Computerized Physician and Provider Order Entry
Billing: Hybrid Model
Clinical Trials Billing
21. Questions re: Compliance Committees Do you have an Institutional Compliance Committee?
Who is represented on the committee?
Who chairs the committee?
How often does the committee meet?
What topics/issues are addressed by committee?
What other information is reported to the Compliance Officer (i.e. other than through a Compliance Committee)?
22. Reporting to Board of Trustees
23. Reporting to Board of Trustees An annual Audit and Compliance report is provided to the Audit and Compliance Committee of the Board of Trustees
Report addresses major activities and accomplishments of the Institutional Compliance Program
Hours devoted to Institutional Compliance Program
ICCC Meetings
ICCC Subcommittees
Specific accomplishments (e.g. new Code of Conduct)
Early Warning Services provided
STARS Business Owner
Helpline Investigations
ICCC Topics and Subcommittees are itemized in an Appendix to the Annual Report
24. Questions re: Board Reporting What information do you report to your governing Board?
How often is this information reported?
25. Assessment Process
26. Compliance Assessment Tool Standards, Policies, & Procedures
Roles & Responsibilities
Program Oversight
Awareness, Education, & Training
Lines of Communication
Monitoring & Evaluating
Enforcement
Corrective Action
Sufficient Resources
27. Standards, Policies, & Procedures Is there a code of conduct?
Are faculty and staff aware of code of conduct and related compliance expectations?
Are written policies and procedures in place and clearly communicated to manage compliance-related risks?
Do users know and understand them?
Are roles and responsibilities clearly specified?
Are monitoring and oversight processes in place to ensure policies and procedures are followed?
Do the monitoring and oversight processes work?
Is responsibility assigned to maintain and update policies and procedures to reflect changes in laws, regs., etc.?
28. Roles and Responsibilities Are there clearly identified roles and responsibilities for those engaged in activities to mitigate compliance?
Do these individuals understand their roles and responsibilities?
Do these individuals have the information, skills, and authority to fulfill their compliance responsibilities?
Do these individuals adequately fulfill their responsibilities?
Are roles and responsibilities accurate, current, and easy to locate?
29. Program Oversight Is there a regular process for responsible parties to inform management about compliance activities and concerns?
Is senior management appropriately aware of compliance activities and concerns?
Do University managers understand the significance of ethical conduct and compliance? (“tone at the top”)
Do faculty and staff believe ethical conduct and compliance are significant institutional expectations?
Has the university or area named a Compliance Officer with appropriate powers and expertise?
Does the Compliance Officer function effectively?
30. Awareness, Education, and Training Is there a process to identify who needs to be provided with training, education, and awareness about compliance risks?
Does this process effectively identify new employees who need training/education?
Does this process effectively identify existing employees who need additional/ongoing training or education?
Is there a process to ensure those who need formal education or training on compliance risks receive the training?
Is attendance documented to ensure those who need the training/education receive it?
Are there processes to evaluate whether recipients of training/education understand the information delivered?
Are there processes to communicate emergent compliance issues, problem areas, and targeted awareness to those whose activities create compliance risks?
Are these processes effective?
31. Lines of Communication Are there processes for faculty and staff to get answers to compliance-related questions?
Do faculty and staff know where to go to get answers to compliance-related questions?
Do they receive timely, accurate answers?
Is there a process to allow confidential reporting of compliance concerns?
Is the process in receiving and promptly responding to compliance concerns?
Have adequate protections been established for employees who lodge reports and employees against whom reports are made?
Is the process for protections effective and consistently followed?
Do faculty and staff know about and feel confident to use these processes?
32. Monitoring and Evaluating Are there formal plans for ongoing monitoring of compliance activities?
Do the monitoring plans address high priority compliance risks?
Is regular monitoring conducted?
Are there formal plans for evaluating compliance effectiveness?
Do the evaluation processes address high priority compliance risks?
Are the results of compliance evaluations documented?
Is there a process to communicate the results of monitoring and evaluation to senior management?
Is senior management effectively informed of the results of compliance monitoring and evaluation?
33. Enforcement Are there clearly established and well publicized consequences for violations of compliance rules?
Are the consequences understandable and effectively communicated?
Do faculty and staff believe there will in fact be consequences for violation of significant compliance rules?
Are employee retention, advancement, and compensation expressly tied to compliance expectations?
Do employees believe adherence to compliance and ethical standards is part of their retention, advancement, and compensation?
34. Corrective Action Is there a system for prompt and adequate investigation of detected non-compliance by appropriate officials?
Are incidents promptly and adequately investigated?
Is there a system to ensure timely and appropriate corrective action is taken?
Are appropriate corrective actions taken?
Is there a process for reporting (internally and externally) compliance violations?
Are compliance violations properly and promptly reported?
Is there a process to ensure detected violations are not systemic problems or indicators of larger compliance issues?
Are appropriate mechanisms in place to ensure similar breakdowns do not occur and that systemic problems are corrected?
35. Sufficient Resources Is there a process to evaluate whether adequate resources are provided to support compliance functions based upon risk levels?
Has the University provided adequate resources to implement necessary compliance practices?
36. Compliance Assessment Results
37. STARS
38. STARS Stanford Training and Registration System (STARS) is the Learning Management Systems for Stanford University
STARS is a component of our PeopleSoft system
Institutional Compliance is the process owner of STARS
STARS is designed to capture all compliance related training
STARS is a key reporting tool for compliance-related training
39. Compliance Helpline
40. Compliance Helpline Stanford employees who have concerns of any kind stemming from possible noncompliance with government or external agency regulations, related University policies, errors or irregularities in Stanford’s financial accounting practices or policies can report them.
Raising such concerns is a service to the University and will not jeopardize your employment.
The Compliance Helpline is confidential, anonymous (if desired), and resolution will be made by knowledgeable individuals.
The program is managed by the Executive Director of Internal Audit and Institutional Compliance.
All contacts are communicated to the General Counsel and the Chair of the Audit and Compliance Committee.
Submissions may be made via:
Web, Email, Phone, Fax
41. Next Steps
42. Next Steps Expand roles and responsibilities of Institute Compliance Officer
Update Website
Conduct Program Assessment during next fiscal year
Enhance capabilities and support of STARS – Learning Management System
Develop schedule for functional areas to report at ICCC meetings
43.
Questions?
http://www.stanford.edu/dept/Internal-Audit/
rick.moyer@stanford.edu
650-736-1201
