1 / 34

ASSURANCE STRATEGIES

ASSURANCE STRATEGIES. The University of Texas System Institutional Compliance Program. Agenda.  Session Objectives – Jolene Lampton Roll Call – Charles Chaffin Opening Remarks – Chancellor Burck  Assurance Strategies • Assurance continuum and review of controls – David Crawford

adamdaniel
Download Presentation

ASSURANCE STRATEGIES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ASSURANCE STRATEGIES The University of Texas System Institutional Compliance Program

  2. Agenda Session Objectives – Jolene Lampton • Roll Call – Charles Chaffin • Opening Remarks – Chancellor Burck  Assurance Strategies • Assurance continuum and review of controls – David Crawford • Certifications Jolene Lampton and Kristi Fisher, UT Tyler • Inspections Jolene Lampton and Sharon Corum, UTHSC Houston • Agreed Upon Procedures - David Crawford • Audits Charlie Chaffin and Toni Messer, UT Dallas • Peer reviews Charlie Chaffin and Bob Emery, UTHSC Houston • Other External Assurance Providers – David Crawford • Deciding which assurance strategy to use – David Crawford  Questions and Answers – David Crawford  Summary – David Crawford

  3. Session Objectives • Assurance strategies increase the confidence level that others have in the reliability and relevance of the compliance function. • The goal is to give assurance about managing the “A” risks and the compliance function - its activities and its compliance officer. • Review and discussion of the different types of controls: — execution controls — supervisory controls — oversight controls — internal audit controls

  4. Execution Controls(Operating Controls)          • Embedded in day-to-day operations      – Policies and procedures      – Segregation of Duties      – Reconciliations/Comparisons          • Performed on every event/transaction       • Performed by the generators of the event/transaction          • Performed in ‘real time’ as the event/transaction is executed

  5. Supervisory Controls(Monitoring Controls) • Re-application of operating controls – Supervisory Review; Quality Assurance; Self Assessment •Performed very soon after the generation of the event/transaction •Performed by line management or staff positions who do not originate the event/transaction • Performed on a sample of the total number of events/transactions

  6. Oversight Controls(Executive Controls) •• Exception reports, status reports, analytical reviews, variance analysis •• Performed by representatives of executive management •• Performed on information provided by supervisory management •• Performed within a short period (weeks/months) after the event/transaction is originated

  7. Internal Audit ControlsGovernance Controls) • Audit of the design of controls not the operation of controls • Performed either before the event/transaction is originated or long after • Performed by staff with no involvement in the operations • Performed on individual events/transactions for discovery only

  8. Increasing Confidence . . . a goal of assurance

  9. Certifications – Given by each manager or responsible party for their area/s Are essentially self-assessments Say that responsible parties are performing all operating and monitoring controls that are required Usually provides minimum confidence level Signed certifications provide increased value Are greatly enhanced if validated by compliance or internal auditing personnel Should be used for every operational unit

  10. Lesson Learned #1  Certifications should be used for every operational unit - even if additional assurance strategies are used. • Provides level of assurance for functional areas • Pushes managers to find out what is happening in their units before they certify

  11. Certifications Kristi Fisher UT Tyler

  12. Inspections – Are oversight controls Are on-going during current operating period Emphasize that responsible parties perform their supervisory controls Indicate there is a plan in place to manage the “A” risks

  13. Criteria for the inspection process • Uses the monitoring plan • Uses the specialized training plan Compliance personnel examine records, individual transaction documentation, and corrective action documentation (if needed) and ensure correct reporting to the compliance officer.

  14. Lesson Learned #2  Acceptable inspection programs require the examination of DOCUMENTED evidence • To verify that supervisory controls were performed • To verify that corrective action was taken if appropriate

  15. Inspections Sharon Corum UTHSC Houston

  16. Agreed Upon Procedures — Performed by Internal Auditing function  An assurance for the compliance officer - almost exactly like an inspection  Results are only reported to the Compliance Officer and Compliance Committee  For Internal Auditing, this is a consulting service – not an audit  Procedures are actually contracted with the internal auditing department  Internal auditing staff are working for the compliance function

  17. Lesson Learned #3  When internal auditing is performing the oversight function under contract or agreement with the compliance officer, the process is NOT an audit.

  18. Agreed Upon Procedures Presentation by – Mike Peppers, UT Medical Branch David Crawford, Presenter

  19. Audits of Compliance Function — • Subject to professional standards of the internal auditor • Criteria used by the internal auditor would be the monitoring plan and specialized training plan for the “A” risks • Audit program will be designed to ensure that risks are properly managed with special emphasis on oversight controls and supervisory controls • Working papers are the property of the internal auditing department • Audit report is through normal audit process

  20. Audits . . . design audits –Requests to audit the design of the compliance program –Internal Auditor and executive management agree upon the purpose of the audit information validation audits –Requests for independent, objective party to audit –Three parties involved – group seeking assurance (executive management), group providing the information in question (compliance program), and the assurance provider (internal auditing)

  21. Lesson Learned #4 • If specific instances of non-compliance are identified during the execution of the audit program, the internal auditor should report those specific instances of non-compliance to the compliance officer and the compliance committee. Specific instances of non-compliance will not be in the audit report.

  22. Audits Toni Messer UT Dallas

  23. External Expert Peer Reviews — • External subject matter experts perform the review • Professional stature of the peer review team will affect the value of the review • External peer reviews may be the only feasible way to obtain assurance

  24. Types of External Peer Reviews • In lieu of compliance oversight — Provided for compliance officer — Provided by external peer review team subject matter experts 2. In lieu of internal audits — Provided for CEO and governance function — Provided by external peer review team subject matter experts • Of the compliance program — Provided for CEO and governance function — Provided by external peer review team

  25. Lesson Learned #5 • The compliance officer and compliance committee should have a formal agreement with the peer review team that is signed by each team member. Agreement should address confidentiality, who will receive the report, how to transmit sensitive information, destruction of working notes, etc.

  26. Peer Reviews Bob Emery UTHSC Houston

  27. OTHER EXTERNAL ASSURANCE PROVIDERS • Compliance officer, CEO, and governance function obtain assurance from other assurance providers. — JCAHO — External auditors — Accreditation teams (SACS) — Federal auditors — Regulators

  28. Lesson Learned #6 • Reports of all external evaluations should be filed with one particular institutional official, such as the general counsel, the internal auditor, the director of institutional research, or the chief risk officer. This will eliminate redundancy and will provide opportunities to distribute reports to all affected parties.

  29. DECIDING WHICH ASSURANCE STRATEGY TO USE Criteria depends on: • significance of the risk • prior experience with risk and its management • availability of cost effective assurance strategies • confidence level needed

  30. QUESTIONS AND ANSWERS

  31. SUMMARY • The primary focus of assurance is to increase the confidence of decision-makers to an acceptable level at the lowest cost. • Each strategy is defined by service provided, provider, and information being validated. • The examples presented show a wide range of strategies that give assurance.

More Related