1 / 50

Compliance Office Responsibilities

Compliance Office Responsibilities. Make compliance a part of everyday activities of the institution Monitor the various compliance program activities Communicate with the chief executive officer and others regarding compliance program activities Establish a compliance function.

alberta
Download Presentation

Compliance Office Responsibilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Compliance Office Responsibilities • Make compliance a part of everyday activities of the institution • Monitor the various compliance program activities • Communicate with the chief executive officer and others regarding compliance program activities • Establish a compliance function

  2. Making Compliance a Part of Everyday Activities • Awareness communication avenues • Risk-based plan and compliance manual • Training tools and delivery mechanisms • Monitoring plans and assurance processes • Confidential reporting mechanism • Reporting procedures

  3. Monitor Compliance Program Activities • Training • “A” list risk monitoring plans • Non-compliance • Program

  4. Communicate with Executive Management • Instances of non-compliance that require executive action • Risk-based plan • Monitoring activities • Compliance Committee meeting minutes • Compliance program self-assessment

  5. Four Elements required for Managing Compliance “A” Risks • Responsible party • Monitoring plan • Specialized training plan • Reporting plan Each high risk must have all 4 elements.

  6. Responsible party must exhibit each of the following: • Exclusive responsibility for managing the risk • Knowledge to manage the risk • Authority to manage the risk

  7. Specialized Training Plan Identifies— • Who is trained • Level of knowledge transferred • Frequency of training • Provider of training

  8. Specialized Training Matrix

  9. Reporting Plan should include:  Activity to be reported —Supervisory control activities detailed in monitoring plan —Training activity detailed in training plan  Items to be reported for each activity, such as number of transactions examined or number of employees trained  Frequency of reporting for each activity  Who receives the report for each activity

  10. Supervisory control activities to be reported: • The number or percentage of execution events or transactions in the universe and number examined • The number or percentage of execution events or transactions that failed the control attribute • The identified causes of failure • The action taken to mitigate repetitive failure • The need for process improvement • The need to escalate the consequence of non-compliance to mitigate repetitive non-compliance

  11. Examples: • Number of purchase contracts reviewed from the universe of contracts • Number of purchase contracts that did not satisfy the competitive bidding process • Identified causes of failure - such as, personal preference of requestor • Action taken - such as, provided training to all buyers • Process changes - such as modify computer program to include RFP# and Award Designation • Second instance for requestor - need to remove budget spending authority

  12. Compliance Committee Purpose • To provide the senior executive level decision-making function for the compliance program

  13. Compliance Committee Duties and Responsibilities • Provide guidance and direction including policy decisions • Allocate resources • Ensure that appropriate action is taken for instances of non-compliance

  14. Compliance Committee Composition • Size • Management Level • Line Management v. Staff Management

  15. Compliance Committee Support Mechanisms • Compliance Function • Compliance Coordinator and staff • Monitor & assist high risk responsible parties • Perform training and risk assessment • Working Group • High risk area representatives • Perform specific tasks, as assigned by the compliance officer, that would normally be performed by the compliance function staff

  16. Employee Group Insurance Risk Self-Assessment

  17. Collaborative Assurance Philosophy • Risk Management is the responsibility of every employee • Risk Management Assurance is provided by all levels of the organization • A Risk Self-Assessment is the basis for all risk management and risk management assurance activities

  18. Risk Management Vocabulary(see handout)

  19. Risk Management Components • Define a common risk management process • Assess Risk • Manage Risk • Learn and renew Make risk management a part of everyday activities

  20. Risk Self-AssessmentThe Tool 1. Identify Goals and Objectives 2. Convert to Activities or Processes 3. Inventory Risks 4. Measure Risks 5. Prioritize Risks

  21. Goals and Objectives • Strategic Plan • Annual Operating Plans • Work Unit Goals and Objectives

  22. 1. Establish Organization Objectives 2. Assess Risk 3. Choose Mitigation Strategy A. Identify B. Measure C. Prioritize Assessing Risks

  23. BrainstormingThe Technique • People involved in the process or activity • Identify activities performed to achieve goals and objectives • Inventory risks associated with each activity

  24. Brainstorm and Consolidate

  25. Then…Prioritize

  26. Range Rankings

  27. Mitigation Strategies • Accept - no mitigation • Avoid - do not do the activity • Transfer - contract out/manage contract • Control - internal mitigation actions • Exploit - do something else

  28. Assurance Continuum

  29. What is It? A model of both periodic and on-going assurance regarding the management of risks.

  30. What are its Benefits? • Governance Benefits • Appropriate Assurance on all Risks • Fewer Surprises • Management Benefits • Real-time assessment • Ownership • Internal Audit Benefits • Increased Coverage • Value-added effort

  31. Assurance Continuum Model for the 21st Century Collaborative Assurance (Governance and Management Control Processes) I----------I Periodic Assurance I----------I (Governance Control Processes) I------------ On-going Assurance ------------I (Management Control Processes) Internal Audit Controls Internal Audit Controls Execution Controls Supervisory Controls Oversight Controls Pre-operations design review of on-going assurance During execution of event or transaction Immediately after execution of event or transaction Soon after execution of event or transaction Post-operations audit of execution of on-going assurance

  32. Levels of Control in the Assurance Continuum

  33. Levels of Internal Control Involvement In Process ITEMSAFFECTED None Isolated Items Internal Audit Little Exception Reports Some Sample of Transactions Oversight Controls Totally Supervisory Controls Every Transaction Execution Controls UT System Audit Office David B. Crawford 07/28/99 Real Time Soon After Periodically Annually TIME

  34. Execution Controls(Operating Controls) • Embedded in day-to-day operations • Policies and procedures • Segregation of Duties • Reconciliations/Comparisons • Performed on every event/transaction • Performed by the generators of the event/transaction • Performed in ‘real time’, as the event/transaction is executed

  35. Supervisory Controls(Monitoring Controls) • Re-application of operating controls • Supervisory Review; Quality Assurance; Self Assessment • Performed very soon after the generation of the event/transaction • Performed by line management or staff positions who do not originate the event/transaction • Performed on a sample of the total number of events/transactions

  36. Oversight Controls(Executive Controls) • Exception reports, status reports, analytical reviews, variance analysis • Performed by representatives of executive management • Performed on information provided by supervisory management • Performed within a short period (weeks/months) after the event/transaction is originated

  37. Internal Audit Controls(Governance Controls) • Audit of the design of controls not the operation of controls • Performed either before the event/transaction is originated or long after • Performed by staff with no involvement in the operations • Performed on individual events/transactions for discovery only

  38. Operational ExamplesLevels of Control in the COSO Model (LOCs)

  39. Risk Management Plan

  40. Managing Risk • Use the Risk Management Plan • Assign Responsibility • Risk Management Responsibility • Oversight Control Responsibility • Develop the following plans: • Monitoring • Specialized training • reporting • Pre-defined set of consequences for non-compliance with risk management plan

  41. Monitoring Plan • Execution Controls • Supervisory Controls • Oversight Controls

  42. Monitoring Plan

  43. Specialized Training Plan • Knowledge required to manage risk • Who needs that knowledge • How to transfer knowledge • How to measure effectiveness of transfer

  44. Collaborative Assurance:Learning and Renewing • Gap analysis and Action Plans • “Play it again Sam!”

  45. Gap Analysis and Action Plans • Self-assessments • Supervisory Controls • Oversight Controls • Internal Auditing

  46. Play It Again Sam! General Purpose Process (A - E) Detailed Process (1 - 9) B. Identify Risk Areas C. Assess Risk A. Objectives E. Learning D. Risk Response (Source: Adapted from TBS Integrated Risk Management Framework)

More Related