1 Compliance Program Assessments in Higher Education: How They Add Value Steve Tremaglio, Manager of Compliance June 3, 2013 Northwestern Facts • 3 Campuses – Evanston, Illinois – Chicago, Illinois – Doha, Qatar • 12 Colleges and School • Faculty – 2,500 full time • Staff – 5,444 full time • Students – 16,000 full‐time The Evanston campus
22
Embed
Compliance Program Assessments in Higher Education…€¦ · 1 Compliance Program Assessments in Higher Education: How They Add Value Steve Tremaglio, Manager of Compliance June
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Compliance Program Assessments in Higher Education:
How They Add Value
Steve Tremaglio, Manager of Compliance
June 3, 2013
Northwestern Facts
• 3 Campuses
– Evanston, Illinois
– Chicago, Illinois
– Doha, Qatar
• 12 Colleges and School
• Faculty
– 2,500 full time
• Staff
– 5,444 full time
• Students
– 16,000 full‐time The Evanston campus
2
Session Objectives
• Compliance Program Framework: Components
• Northwestern University’s approach for assessing compliance program effectiveness
• Analyzing the assessment results
– Common areas for improvement
– How to design recommendations that add value
Regulatory Compliance: What’s the big deal?
Noncompliance can be costly to higher education institutions:
• $15 million; inflated research grant costs
• $12 million; over‐billing charges of unallowable items
• $12 million; underpayment of royalties
• $5.6 million; medical over‐billing
• $5.5 million; effort reporting issues
• $4 million of federal grant money returned; inappropriately spending research funds and failing to properly record purchases.
• $1.2 million; inflated research overhead costs
• $650,000; research fraud and abuse
• $205, 000 to cover mismanagement for misspending a gift
3
Compliance Framework
• Identify essential components and controls of an effective compliance program utilizing a Compliance Framework:– Federal Sentencing Guidelines
– Committee on Sponsoring Organizations
Publisher : The IIA Research Foundation (IIARF) Publish Date : 2001 Authors : David B. Crawford, CIA, CCSA, CPA
Book available through:• IIARF• Amazon
Federal Sentencing Guidelines
• Rules that set out a uniform sentencing policy for convicted defendants (including organizations) in the federal court system.
• Two factors that mitigate the ultimate punishment of an organization are:
– Existence of an effective compliance and ethics program
– Self‐reporting, cooperation, or acceptance of responsibility
4
Federal Sentencing Guidelines*
Effective Compliance and Ethics Program Requirements:
• “Exercise due diligence to prevent and detect criminal conduct”.
• “Promote organizational culture that encourages ethical conduct and commitment to compliance with the law.”
• “Periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement to reduce the risk of criminal conduct identified through this process.”
• Understand the significant regulatory risks managed on behalf of the University.
• Assess the effectiveness of unit compliance programs
• Identify any “gaps” in compliance program.
• Establish observations and mitigation strategies.
• Increase awareness of “best practices” in mitigating compliance risk.
10
Compliance Program AssessmentMethodology
• Limited to interviews with members who have responsibility for managing and carrying out compliance activity related to the regulatory areas selected.
• Not designed to test compliance with regulations, rather, to assess the compliance program in comparison with the established Framework.
Assessment Cycle Approach
Planning
Fieldwork
Reporting
Follow‐up
11
Planning
Planning Memo Planning Meeting Kick-off MeetingBackground and Research
Planning: Background and Research
1. Develop understanding of unit/process
2. Initial review of federal, state, and local regulations to identify areas managed by unit:• University’s Regulatory Matrix
• Enterprise Risk Management (ERM) Reports
12
ERM Risk Classification
Academic Risks
Compliance Risks
Financial Risks
Operational Risks
Reputational Risks
Research Risks
Strategic Risks
ERM Categorizes All Types of Risk
Planning: Research (cont.)
13
Planning: Research (cont.)
Additional Resources:
Catholic University of America:
Campus Legal Information Clearinghouse: http://counsel.cua.edu/
Cornell University Law School:
U.S. Code: http://www.law.cornell.edu/uscode/
Code of Federal Regulations: http://www.law.cornell.edu/cfr/
Government Sites:
U.S. Government Printing Office: http://www.gpo.gov/fdsys/
Illinois General Assembly: http://www.ilga.gov/legislation/ilcs/
Discuss process and expectations of the assessment.
Introductions
Factors considered in selecting area for assessment
Objectives and scope and outline of process
Protocol for communicating assessment results
Review list of regulatory areas and key risk areas managed by the unit
Follow‐up with email notification
15
Fieldwork
Phases:
• Interview– One on one client interviews
– Draft interview notes
• Examination– Documentation Review
– Inspecting documents and reports for specific attributes
– Evaluation of unit’s process
– Work paper review
• Formulating/Confirming Observations
• Wrap‐up
Fieldwork: Interview
One on one client interviews:
16
Writing a Observation – 5 Elements
Condition
What is?
Criteria
What should be?
Cause:
Why did condition occur?
Effect:
Risk, what could go wrong?
Recommendation:
Action needed to correct the cause.
Writing a Observation ‐ Example
Sentence below contains all essential elements of a well written observation:
“Responsibility for compliance throughout [Unit] is shared by two operating groups which manage [operating activities] in their own areas and report to different members of [Unit] leadership. These operating areas sometimes overlap which may cause confusion over which unit is responsible for compliance. Policies and procedures are not coordinated or consistently applied between operating groups, nor is a self‐assessment performed that collectively identifies where weaknesses are noted or improvements could be made. Assigning one member of unit leadership to oversee [operating activities] throughout the [Unit] would ensure accountability and enhance the overall effectiveness of [Unit’s] compliance program.”
17
Writing a Observation (cont.)
Here’s the sentence broken down into elements:
Condition: “Policies and procedures are not coordinated or consistently applied between operating groups, nor is a self‐assessment performed that collectively identifies where weaknesses are noted or improvements could be made.”
Criteria: Assigning high level personnel to oversee the compliance program.
Cause: “Responsibility for compliance throughout [Unit] is shared by two operating groups which manage [operating activity] in their own areas and report to different members of [Unit] leadership.”
Effect: “These operating areas sometimes overlap which may cause confusion over which unit is responsible for compliance.”
Recommendation: “Assigning one member of [Unit] leadership to oversee [operational activity] throughout the [Unit] would ensure accountability and enhance the overall effectiveness of Unit’s compliance program.”
Fieldwork: Wrap‐up Meeting
• No surprises!
• Discuss draft report/formal list of observations
• Bring evidence/support for results
• Focus should also include positive results and/or improvements
• Clearly explain next steps and Avoid delays in issuing the final report!
• Thank the participants
• Solicit feedback
18
Fieldwork Best Practices
• Communication!
Client
Compliance Services Management
• Escalate issues and any changes
• Keep evidence of Observations!
Assessment Results
19
Assessment Results
36% ‐ Insufficient Monitoring
Deficiencies resolved by:
• Developing additional processes and new roles and responsibilities to ensure the monitoring is taking place.
• Creating and maintaining records to track their progress.
• Filing reports with the local, state, and federal government on a timely basis.
Importance:
• To prevent or detect non‐compliance
Assessment Results
21% ‐ Policies and Procedures Incomplete or Inadequate
Deficiencies resolved by:
• Documenting policies and procedures aligned with the regulatory requirements.
Importance:
• Staff understands what management expects of them.
• Continue to meet the regulatory requirements even though key personnel may leave the University.
20
Assessment Results
17% ‐ Self‐assessment not performed.
Deficiencies resolved by:
• Evaluating their compliance program annually or every two years and evaluating the current status of the program.
• Identifying and remedying any gaps in the program
• Reporting the assessment results to the unit lead
Importance:• Provides personnel with the information needed to evaluate
and improve the overall effectiveness of the compliance program.
Assessment Results
13% ‐ Inadequate supervisory review and/or segregation of duties
Deficiencies resolved by:
• Reorganizing responsibilities, and
• Requiring supervisory review to be performed before filing with the federal, state, and local agencies.
Importance:
• To limit errors and omissions.
21
Report Writing
Executive Summary
• Start draft process before fieldwork (template, scope, distribution list)
• Include: Purpose, Scope, Description of statute/regulation reviewed, and Summary of Results/Ratings