slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
2006 ACUA Midyear Seminar Compliance Track Presented by: April 10-12, 2006 PowerPoint Presentation
Download Presentation
2006 ACUA Midyear Seminar Compliance Track Presented by: April 10-12, 2006

Loading in 2 Seconds...

play fullscreen
1 / 62

2006 ACUA Midyear Seminar Compliance Track Presented by: April 10-12, 2006 - PowerPoint PPT Presentation


  • 258 Views
  • Uploaded on

2006 ACUA Midyear Seminar Compliance Track Presented by: April 10-12, 2006. Charles Chaffin Jane Youngers Pete Carlon David Givens Amy Barrett Kimberly Hagara Michael Charlton Paige Buechley Lisa Blazer Paul Pousson Dick Dawson. Compliance Track Agenda . Day 1

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '2006 ACUA Midyear Seminar Compliance Track Presented by: April 10-12, 2006' - Mercy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

2006 ACUA Midyear Seminar

Compliance Track

Presented by:

April 10-12, 2006

Charles Chaffin Jane Youngers Pete Carlon

David Givens Amy Barrett Kimberly Hagara

Michael Charlton Paige Buechley Lisa Blazer

Paul Pousson Dick Dawson

slide2

Compliance Track Agenda

  • Day 1
    • Compliance fundamentals
    • High compliance risk areas
      • Environmental Health and Safety
  • Day 2
      • Research
      • NCAA
  • Day 3
      • Student Financial Aid
      • Other high compliance risk areas
    • Wrap-up and Enterprise Risk Management
slide3

The Fundamentals of Compliance in Higher Education

Presented by:

Charles G. Chaffin, CPA, CIA

Director of Audits and System-wide Compliance Officer

The University of Texas System

April 10, 2006

slide4

Outline

  • What is Compliance?
  • Compliance Fundamentals
  • Audit’s Value in Compliance
  • High Risk Areas
who we are
Who we are
  • ~90,000 employees
  • 183,000 students (3K to 50K per campus)
  • $31.9 billion total assets
  • $19.3 billion portfolio under management
  • $9.6 billion annual operating budget
  • $5 billion dollar construction program
  • >$1.5 billion dollars in annual research funds
  • 2.1 million acres in West Texas, nearly 10,000 producing wells
  • Major Research Programs, NCAA Programs
  • 6 Physician Practice Plans, 4 Hospitals
ut system institutions
U.T. Arlington

U.T. Austin

U.T. Brownsville

U.T. Dallas

U.T. El Paso

U.T. Pan American

U.T. Permian Basin

U.T. San Antonio

U.T. Tyler

U.T. Southwestern Medical Center at Dallas

U.T. Medical Branch at Galveston

U.T. Health Science Center at Houston

U.T. Health Science Center at San Antonio

U.T. M.D. Anderson Cancer Center

U.T. Health Center at Tyler

UT System Institutions
slide8

What is Compliance?

  • Compliance is focused on ensuring that an entity operates within the boundaries of all applicable laws, rules, policies and regulations governing higher education institutions (internal and external)
  • Compliance is critical to avoid monetary loss/penalties, loss of funding, damage to reputation, and demands on executive time
  • An effective compliance program should result in fewer surprises through early detection of non-compliance and fraud
slide9

What is Non-compliance?

  • “The University of Connecticut will pay $2.5 million to settle allegations it filed false grant applications and overbilled the government for research” – Jan ’06
  • “The University of South Florida has fired three employees after it found $275,000 in misplaced checks and cash in their office” – Jan ‘06
  • The U.S. attorney delivered an ultimatum to the troubled University of Medicine and Dentistry of New Jersey telling its governing board to accept a federal takeover of the school's financial operations or face criminal prosecution that could shut it down – Dec ‘05
    • “double billing Medicare and Medicaid by at least $4.9 million”
    • “The University of Medicine and Dentistry of New Jersey improperly awarded more than $16 million in contracts last year without competitive bidding”
  • American University excessive compensation, travel and personal expenses
  • “ITT Educational Services Inc. agreed to pay $725,000 to settle a lawsuit in which employees charged that the higher education company had inflated students’ grade point averages so they qualified for more financial aid from the State of California.”
ut system non compliance
UT System Non-compliance
  • UTPA – Forgery - $250,000 – 1991
  • UT Austin – Fictitious Vouchers - $800,000 – 1994
  • Several Institutions – IRS issues - $1 Million – 1992-1994
  • UT Austin – Illegal Drugs in Chemistry Department – 1994
  • Medical School – Medicare Billing - $17 Million – 1997
  • UTMB Galveston – Human Subjects – closed research - 2000
slide12

Compliance vs. Audit Programs

  • Compliance works with the business units to maximize compliance with applicable laws, rules, regulations, policies and procedures
    • Compliance functions are generally embedded in the business function and are part of the control structure
    • On-going, daily assurance
  • Audit is an independent, objective assurance and consulting activity designed to add value by evaluating the control structure
    • Periodic and after the fact assurance
slide13

Elements of a Successful

Compliance Program

  • For an organization to have an effective compliance program, the following elements are required:

1. Existence of written standards

2. Effective oversight

3. Due care in delegation of authority

4. Training

5a. Monitoring and auditing to detect non-compliance

5b. Provide and publicize a system to report non-compliance

6. Standards consistently enforced through appropriate discipline

7. Corrective action once offense has occurred to prevent future similar instances

Note: From the United States Federal Sentencing Guidelines, 1991

implementing an effective institutional compliance program
Implementing an Effective Institutional Compliance Program
  • Definition: An Institutional Compliance Program is one that encompasses your entire university
      • Must have one within Athletics
      • And within the Safety Program
  • The Institutional Compliance Program joins it all together, creating a situation in which one individual is held accountable by the president
implementation of an effective institutional compliance program cont d
Implementation of an Effective Institutional Compliance Program (cont’d)
  • Building the Infrastructure
  • Creating Compliance Awareness
  • Managing Critical Risks
  • Appraisal and Renewal
a building the infrastructure
A. Building the Infrastructure
  • TIME and RESOURCES required
    • Driven by the size and overall complexity of your institution
    • Convincing your institution to fund and/or staff the program
  • Specific tasks
    • Appoint a COMPLIANCE OFFICER
      • Current executive or a new position, Full-time or part- time
      • Attorney, Auditor, Business Officer
    • Appoint a COMPLIANCE COMMITTEE
      • Executive – President’s Cabinet
      • Working Committee – High Risk Area Department Heads (H.R. Director, Safety Officer, etc.)
    • Establish a COMPLIANCE FUNCTION/OFFICE
      • Full-time staff or slice of current staff time
      • Housed in the legal, audit, business affair’s office, or it can stand alone
a building the infrastructure compliance office responsibilities
A. Building the Infrastructure - Compliance Office Responsibilities
  • Compliance Office responsibilities
    • Make compliance a part of everyday activities of the institution
    • Monitor the various compliance program activities
    • Communicate with the chief executive officer and others regarding compliance program activities
    • Establish a compliance function
a the infrastructure
A. The Infrastructure
  • Compliance Officer
  • Compliance Committee
  • Compliance Function/Office
  • Institutional Community Imbued with Ethical Culture
b creating compliance awareness
B. Creating Compliance Awareness
  • Compliance Awareness = An Institution Imbued with Ethical Culture
      • From the bottom up, include everyone
  • Develop a Standards of Conduct Guide (Code of Conduct)
  • Develop a General Compliance Training Program
      • Face – to – face
      • Web-based
      • Articles and emails
  • Establish a confidential reporting mechanism (Compliance Hotline)
      • Third Party Vendor
      • In-house Legal or Audit
      • Email
c managing critical risks
C. Managing Critical Risks
  • Risk ASSESSMENT Process
    • Identify risks to achieving the goals and objectives of the institution:
      • Probability of Occurrence
      • Potential Impact Related to Occurrence
        • Identify the SHOW-STOPPERS
c managing critical risks risk assessment matrix
C. Managing Critical Risks -Risk Assessment Matrix

BEST PRACTICES

Objective/Activity

Risk & Exposure

Rank BeforeControls

Rank After Controls

Potential Impact

Prob.OfOccur.

Mitigation Strategy

Operating Controls

Monitoring Controls

Oversight Controls

I/A Controls

HML

HML

HH

HM

HL

MH

MM

HML

Avoid

Accept

Transfer

Control

c managing critical risks cont d
C. Managing Critical Risks (cont’d)
  • Determine risks that are organization critical:
    • Medicare Billing Rules (fines)
    • Research Time and Effort Reporting (fines)
    • Research Human Subjects (suspension)
    • Research Medical Billing (fines)
    • Lab Safety (injury)
    • Fire (injury and death)
    • Athletic Recruiting (loss of scholarships)
    • Athletic Boosters (loss of scholarships)
    • Sexual Harassment (very bad)
    • Endowment Spending (repay endowment)
c managing critical risks cont d23
C. Managing Critical Risks (cont’d)
  • Risk MANAGEMENT Process for “A” risks
    • Single High-Level Responsible Party
      • Dean or Provost, VP of Research or Business, HR Director
      • Knowledge and authority to manage risk
    • Specialized Training Plan
      • Risk Specific – For whom, what knowledge, frequency, by whom
    • Monitoring Plan
      • How do you know if you are following the rules?
    • Reporting Plan
      • Report Cards to Compliance Officer and/or President, corrective action
      • What activity and items to be reported, frequency, for whom
c managing critical risks monitoring plan
C. Managing Critical Risks - Monitoring Plan

Monitoring plans

Every step in a monitoring plan should already exist in the policies and procedures that manage the risk

The monitoring plan serves as the criteria for all types of assurance services

The monitoring plan for high risks must include Level 1, Level 2, and Level 3 controls

The monitoring plan must indicate the documentation that is created by each level of control

slide25

Involvement

In Process

ITEMSAFFECTED

Levels of Internal Control

None

Isolated

Items

Little

Exceptions,

status

Some

Level 4 – I/A

Sample

of

Transactions

Totally

Level 3 - Oversight

Level 2 - Supervisory

Every

Transaction

Level 1 - Execution

UT System

Audit Office

David B. Crawford

07/28/99

Real

Time

Soon

After

Periodically

Annually

TIME

slide26

Assurance Continuum

Model for the 21st Century

Collaborative Assurance

(Governance and Management Control Processes)

I----------I

Periodic Assurance

I----------I

(Governance Control Processes)

I------------ On-going Assurance ------------I

(Management Control Processes)

Level 4 Controls

Level 1 Controls

Level 2 Controls

Level 3 Controls

Level 4 Controls

Pre-operations design review of on-going assurance

During execution of event or transaction

Immediately after execution of event or transaction

Soon after execution of event or transaction

Post-operations audit of execution of on-going assurance

slide27

C. Managing Critical Risks - Monitoring Plan

  • Execution or Operating Controls (Level 1)
    • Policies and procedures, data integrity, segregation of duties
    • Embedded in day-to-day operations and performed by generators of events
    • Performed on every event/transaction in real time
    • Monitoring plan will include a definition of the documentary evidence created to support the application of the operating controls
  • Supervisory or Monitoring Controls (Level 2)
    • Supervisory review of operating controls to be performed
    • Performed by line management or staff positions not originating the event
    • Performed on sample of total events soon after the event/transaction
    • Monitoring plan will include a definition of the documentary evidence created to support the application of the supervisory controls
slide28

C. Managing Critical Risks -Assurance Activities

  • Oversight Controls (Level 3)
    • Exception reports, status reports, analytical reviews, variance analysis
    • Performed by representatives of executive management not part of day-to-day operations on information provided by supervisory management
    • Performed weeks to months after event/transaction originated
    • Examples include compliance inspection
  • Audit Controls (Level 4)
    • Performed by staff with no involvement in the operations
    • Performed weeks to months after event/transaction originated
    • Examples include Internal/External audits of high-risk area or compliance program, peer reviews
slide31

Level of

Execution

Supervisory

Oversight

I/A

Assurance

Controls

Controls

Controls

Controls

Provided

Perform

ed

Performed

Performed

Performed

by

by

by

by

Optimal

Management

Management

Management

Internal Audit

Acceptable

Management

Management

Internal Audit

Internal Audit

Marginal

Management

Internal Audit

Internal Audit

Internal Audit

Unacceptable

Internal Audit

Internal Audit

Internal Audit

Internal

Audit

Unacceptable

Management

Management

Management

Management

Collaborative Assurance Model

slide32

Assurance Strategy

Provided by

Provided On

Provided For

Certification

Responsible Party

Responsible Party

Compliance Officer

Inspection

Compliance

Responsible Party

Compliance Officer

Function

& Chief Executive

Officer (C

EO)

Agreed Upon

Internal Auditing

Responsible Party

Compliance Officer

Procedures

Design Audit

Internal Auditing

Compliance Officer

CEO & Governance

Information

Internal Auditing

Responsible Party &

CEO & Governance

Validation Audit

Compliance

Function

External Peer

External peer

Responsible Party

Compliance Officer

Review (in lieu of

review team of

compliance

subject matter

oversight)

experts

External Peer

External peer

Responsible Party &

CEO & Governance

Review (in lieu of

review team of

Compliance

Internal Auditing

subject

matter

Function

information audit)

experts

External Peer

External peer

Compliance Officer,

CEO & Governance

Review (of the

review team

Compliance

compliance

Function and the

program)

Compliance

Committee

Other External

Accreditation Team

Responsible Party

Compliance Officer,

Assu

rance

External Auditors

CEO, &

Providers

Regulators

Governance

Assurance Strategies Matrix

d appraisal and renewal
D. Appraisal and Renewal
  • Addressing instances of non-compliance
  • On-going assurance regarding the management of mission critical risks
    • Certifications
    • Inspections
    • Peer Reviews
    • Agreed-upon Procedures
    • Audits (design and/or information validation)
  • Periodic assessment of the Compliance Program
    • Self-assessment
    • External Peer Review
  • Renewal
    • (Action Plan based on periodic assessment)
benefits of effective compliance program
Benefits of Effective Compliance Program
  • Reduction in NEGATIVE PUBLICITY
  • Reduction in FINES and EXTERNAL AUDITS
  • Reduction in WORKERS’ COMP. CLAIMS
  • Safety Program Awards
  • Change in Organizational Culture
  • Established Basis for Enterprise-wide Risk Management and Accountability Program
sharing what we learned
Sharing What We Learned
  • How-to-do-it book: Effective Compliance Systems: A Practical Guide for Educational Institutions available from The Institute of Internal Auditors, Inc
  • Hosted: 4 National Conferences on Effective Compliance Systems/ERM in Higher Education

March 2000; October 2002; April 2004; March 2006 in Austin, Texas

  • Hosted: Sarbanes-Oxley Conference October 2003
  • Sharing: Presentations at ACUA and IIA conferences, at individual institutions of higher education, and to commercial organizations
  • Sharing: Major Research Institutions Compliance Group formed after 2nd Compliance Conference
slide37

Compliance and Audit

  • Compliance works with the business units to maximize compliance with applicable laws, rules, regulations, policies and procedures
    • Compliance functions are generally embedded in the business function and are part of the control structure
    • On-going, daily assurance
  • Audit is an independent, objective assurance and consulting activity designed to add value by evaluating the control structure
    • Periodic and after the fact assurance
internal audit plays a key role in developing a compliance program
Internal Audit Plays a Key Role in Developing a Compliance Program
  • Understands COSO
  • Experience in Risk Assessments
  • Know the Different Levels of Controls
  • Ability to Train
  • Audited Compliance Issues for Years
compliance audit objectives
Compliance Audit Objectives
  • To provide assurance that an effectively designed compliance program for the high risk area has been implemented and is operating effectively
    • Are risk assessments taking place?
    • Are risk management plans in place for all high compliance risk areas?
      • Single high-level responsible party?
      • Specialized training provided to appropriate personnel, by appropriate content experts?
      • Monitoring plans in place and being executed for all high compliance risk areas?
      • Is the reporting structure operating? Corrective actions implemented?
    • Providing periodic assessment of the overall compliance program
  • To provide assurance that the institution is in compliance with policies, plans, procedures, laws, and regulations that could have a significant impact on operations and reports
when to audit
When to audit

The Compliance Office is responsible for conducting inspections of all the high risk areas, except for the ones for which they are responsible

inspections
Inspections

Inspections

  • Inspection results:
    • Ready for audit - Internal Audit schedules the audit
    • Not ready for audit - The Compliance Office works with the responsible person and informs Internal Audit when the area is ready
  • Internal Audit performs the inspections on areas where the responsible party is in the Compliance Office
audit procedures
Audit Procedures
  • Leverage prior audits and/or other institution audit procedures within your system
  • Gain an understanding of the high risk area
  • Test the high risk area
      • Monitoring
      • Training
      • Reporting
  • Audit report to management
gaining an understanding
Gaining an Understanding
  • Review prior audits
  • Review policies and procedures relevant to the high risk area
  • Review the inspection report and any working papers prepared by the Compliance Office
    • Follow up on any recommendations made in the inspection report.
  • Review the Institutional Compliance Program manual for information relating to the high risk area, such as:
    • Risk Assessment
      • Assess for reasonableness, any changes, etc.
    • Compliance Program Operations Guide
      • Assess for reasonableness, completeness
    • Method of Monitoring
  • Interview the responsible person, others as considered necessary
  • Attend educational conferences highlighting high compliance risk areas (!)
testing method of monitoring
Testing - Method of Monitoring
  • Determine if the responsible person is monitoring compliance as stated in the monitoring plan
  • Review documentation maintained by the responsible person to ensure that monitoring is being documented
  • Determine if monitoring plan appears reasonable. Is it measurable, sufficient to ensure compliance, etc. based on auditor’s understanding of the area?
testing examples of audit tests of monitoring
Testing - Examples of Audit Tests of Monitoring

Method of Monitoring:

Supervisory review of journal entries by Manager of Financial Reporting.

Audit procedure:

Select a sample of journal entries to determine if Manager is reviewing and approving journal entries.

testing training
Testing - Training
  • Determine if training is being performed in accordance with the training plan
  • Review documentation, such as sign-in sheets, etc., to ensure that training is being performed
  • Determine if training plan appears reasonable, based on auditor’s understanding of the area. Is the population of employees specified? Do responsible persons receive training?
testing reporting
Testing - Reporting
  • Determine if reporting is being performed in accordance with the reporting plan
  • Review documentation, such as quarterly reports and compliance committee meeting minutes to ensure that reporting is being performed
exit conference
Exit Conference

First, an exit conference is held with the responsible person and any others deemed necessary to discuss potential findings and recommendations

audit report
Audit Report
  • Then, a report is drafted. When the responsible person is satisfied and the report has gone through appropriate levels of review, it is addressed to the President and given to the following:
    • Responsible person
    • Responsible person’s supervisor (Dean, VP, etc.)
    • Members of the Audit and Compliance Committee
    • Compliance Officer
    • Assistant Compliance Officer(s)
audit report51
Audit Report
  • Background – Describes the compliance program, applicable policies and procedures, risks of noncompliance
  • Audit Objectives – purpose of the audit
  • Scope and Methodology – Details of what we did to achieve the audit objectives
  • Summary of Significant Findings – if any
  • Audit Results & Management’s Responses – positive features of the compliance program, and any recommendations for improvement
  • Conclusion – As to the effectiveness of the compliance program
audit report52
Audit Report
  • Usually any high risk area audit recommendations are classified as significant to operations
  • If the recommendation does not significantly affect the monitoring, training, or reporting functions, then it is classified as significant to the high risk area’s compliance operations
audit report53
Audit Report

Why do we put compliance recommendations in the audit report?

slide54

Audit Report

So

they

will

be

implemented!

slide56

High Risk Areas

  • * Environmental Health & Safety - proper use and handling of dangerous materials, lab safety, and fire safety
  • * Research - research not conducted in accordance with approved protocol or federal regulations
  • * Contract Administration / Effort Reporting - improper effort reporting on federal grants, unallowable costs
  • * Intercollegiate Athletics - adherence to the rules and regulations of the NCAA
  • * Student Financial Aid – Student eligibility, fiscal management in accordance with Education Department

* High Risk Areas to be discussed in this track

slide57

High Risk Areas (continued)

  • Clinical Billing - medical billing that is not appropriately documented and coded
  • Endowments - adherence to terms of endowment agreement
  • Asset Management - safeguarding of physical and financial assets
  • Human Resources - adherence to applicable rules, regulations and laws including equal opportunity/affirmative action, leave administration, and fair hiring practices
  • Information Resources/Security - systems integrity/continuity/availability, security regulations, and external access
  • Privacy (HIPAA, FERPA, Graham-Leach-Bliley) – improper disclosure of private/sensitive/protected information
environmental health safety
Environmental Health & Safety

J.J. Pickle Research Campus

Regulatory Agencies

Pulse Reactor

resources
Resources
  • www.utsystem.edu/compliance
  • www.utsystem.edu/AUD
  • www.theiia.org
  • www.coso.org