Assurance strategies
1 / 34

- PowerPoint PPT Presentation

  • Uploaded on

ASSURANCE STRATEGIES. The University of Texas System Institutional Compliance Program. Agenda.  Session Objectives – Jolene Lampton Roll Call – Charles Chaffin Opening Remarks – Chancellor Burck  Assurance Strategies • Assurance continuum and review of controls – David Crawford

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - adamdaniel

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Assurance strategies l.jpg


The University of Texas System

Institutional Compliance Program

Agenda l.jpg

Session Objectives – Jolene Lampton

  • Roll Call – Charles Chaffin

  • Opening Remarks – Chancellor Burck

     Assurance Strategies

    • Assurance continuum and review of controls – David Crawford

    • Certifications

    Jolene Lampton and Kristi Fisher, UT Tyler

    • Inspections

    Jolene Lampton and Sharon Corum, UTHSC Houston

    • Agreed Upon Procedures - David Crawford

    • Audits

    Charlie Chaffin and Toni Messer, UT Dallas

    • Peer reviews

    Charlie Chaffin and Bob Emery, UTHSC Houston

    • Other External Assurance Providers – David Crawford

    • Deciding which assurance strategy to use – David Crawford

     Questions and Answers – David Crawford

     Summary – David Crawford

Session objectives l.jpg
Session Objectives

  • Assurance strategies increase the confidence level that others have in the reliability and relevance of the compliance function.

  • The goal is to give assurance about managing the “A” risks and the compliance function - its activities and its compliance officer.

  • Review and discussion of the different types of controls:

    — execution controls

    — supervisory controls

    — oversight controls

    — internal audit controls

Execution controls operating controls l.jpg
Execution Controls(Operating Controls)

         • Embedded in day-to-day operations

     – Policies and procedures

     – Segregation of Duties

     – Reconciliations/Comparisons

         • Performed on every event/transaction

      • Performed by the generators of the event/transaction

         • Performed in ‘real time’ as the event/transaction is executed

Supervisory controls monitoring controls l.jpg
Supervisory Controls(Monitoring Controls)

• Re-application of operating controls

– Supervisory Review; Quality Assurance; Self Assessment

•Performed very soon after the generation of the event/transaction

•Performed by line management or staff positions who do not originate the event/transaction

• Performed on a sample of the total number of events/transactions

Oversight controls executive controls l.jpg
Oversight Controls(Executive Controls)

•• Exception reports, status reports, analytical reviews, variance analysis

•• Performed by representatives of executive management

•• Performed on information provided by supervisory management

•• Performed within a short period (weeks/months) after the event/transaction is originated

Internal audit controls governance controls l.jpg
Internal Audit ControlsGovernance Controls)

• Audit of the design of controls not the operation of controls

• Performed either before the event/transaction is originated or long after

• Performed by staff with no involvement in the operations

• Performed on individual events/transactions for discovery only

Slide10 l.jpg

Increasing Confidence

. . . a goal of assurance

Slide11 l.jpg


Given by each manager or responsible party for their area/s

Are essentially self-assessments

Say that responsible parties are performing all operating and monitoring controls that are required

Usually provides minimum confidence level

Signed certifications provide increased value

Are greatly enhanced if validated by compliance or internal auditing personnel

Should be used for every operational unit

Lesson learned 1 l.jpg
Lesson Learned #1

 Certifications should be used for every operational unit - even if additional assurance strategies are used.

• Provides level of assurance for functional areas

• Pushes managers to find out what is happening in their units before they certify

Certifications l.jpg

Kristi Fisher

UT Tyler

Inspections l.jpg

Are oversight controls

Are on-going during current operating period

Emphasize that responsible parties perform their supervisory controls

Indicate there is a plan in place to manage the “A” risks

Criteria for the inspection process l.jpg
Criteria for the inspection process

• Uses the monitoring plan

• Uses the specialized training plan

Compliance personnel examine records, individual transaction documentation, and corrective action documentation (if needed) and ensure correct reporting to the compliance officer.

Lesson learned 2 l.jpg
Lesson Learned #2

 Acceptable inspection programs require the examination of DOCUMENTED evidence

• To verify that supervisory controls were performed

• To verify that corrective action was taken if appropriate

Inspections17 l.jpg

Sharon Corum

UTHSC Houston

Slide18 l.jpg

Agreed Upon Procedures

Performed by Internal Auditing function

 An assurance for the compliance officer - almost exactly like an inspection

 Results are only reported to the Compliance Officer and Compliance Committee

 For Internal Auditing, this is a consulting service – not an audit

 Procedures are actually contracted with the internal auditing department

 Internal auditing staff are working for the compliance function

Lesson learned 3 l.jpg
Lesson Learned #3

 When internal auditing is performing the oversight function under contract or agreement with the compliance officer, the process is NOT an audit.

Agreed upon procedures l.jpg
Agreed Upon Procedures

Presentation by –

Mike Peppers, UT Medical Branch

David Crawford, Presenter

Audits of compliance function l.jpg
Audits of Compliance Function

• Subject to professional standards of the internal auditor

• Criteria used by the internal auditor would be the monitoring plan and specialized training plan for the “A” risks

• Audit program will be designed to ensure that risks are properly managed with special emphasis on oversight controls and supervisory controls

• Working papers are the property of the internal auditing department

• Audit report is through normal audit process

Audits l.jpg
Audits . . .

design audits

–Requests to audit the design of the compliance program

–Internal Auditor and executive management agree upon the purpose of the audit

information validation audits

–Requests for independent, objective party to audit

–Three parties involved – group seeking assurance (executive management), group providing the information in question (compliance program), and the assurance provider (internal auditing)

Lesson learned 4 l.jpg
Lesson Learned #4

  • If specific instances of non-compliance are identified during the execution of the audit program, the internal auditor should report those specific instances of non-compliance to the compliance officer and the compliance committee.

    Specific instances of non-compliance will not be in the audit report.

Audits24 l.jpg

Toni Messer

UT Dallas

External expert peer reviews l.jpg
External Expert Peer Reviews

• External subject matter experts perform the review

• Professional stature of the peer review team will affect the value of the review

• External peer reviews may be the only feasible way to obtain assurance

Types of external peer reviews l.jpg
Types of External Peer Reviews

  • In lieu of compliance oversight

    — Provided for compliance officer

    — Provided by external peer review team subject matter experts

    2. In lieu of internal audits

    — Provided for CEO and governance function

    — Provided by external peer review team subject matter experts

  • Of the compliance program

    — Provided for CEO and governance function

    — Provided by external peer review team

Lesson learned 5 l.jpg
Lesson Learned #5

  • The compliance officer and compliance committee should have a formal agreement with the peer review team that is signed by each team member.

    Agreement should address confidentiality, who will receive the report, how to transmit sensitive information, destruction of working notes, etc.

Peer reviews l.jpg
Peer Reviews

Bob Emery

UTHSC Houston

Other external assurance providers l.jpg

• Compliance officer, CEO, and governance function obtain assurance from other assurance providers.

— JCAHO — External auditors

— Accreditation teams (SACS) — Federal auditors

— Regulators

Lesson learned 6 l.jpg
Lesson Learned #6

  • Reports of all external evaluations should be filed with one particular institutional official, such as the general counsel, the internal auditor, the director of institutional research, or the chief risk officer.

    This will eliminate redundancy and will provide opportunities to distribute reports to all affected parties.

Deciding which assurance strategy to use l.jpg

Criteria depends on:

• significance of the risk

• prior experience with risk and its management

• availability of cost effective assurance strategies

• confidence level needed

Summary l.jpg

  • The primary focus of assurance is to increase the confidence of decision-makers to an acceptable level at the lowest cost.

  • Each strategy is defined by service provided, provider, and information being validated.

  • The examples presented show a wide range of strategies that give assurance.