Best Practices in Implementing an Effective Compliance Program

1
Best Practices in Implementing an Effective
Compliance Program

Presented By David B. Crawford, CIA,
CCSA Justina Crawford, MA, BME JDEnterprises cr
awfordjd_at_earthlink.net
2
Agenda

• Introduction
• Essentials of An Effective Compliance Program
• How to Begin
• The First Six Months
• Code of Conduct and General Compliance Training

3
Agenda(continued)

• Risk Assessment
• Managing the Critical Risks
• Assurance Strategies
• Handling Potential and Actual Instances of
  Non-compliance
• What About the Non-critical Risks?
• Whats Next?

4
Compliance Program Objective
To provide an infrastructure that facilitates
on-going assurance that the institution is
complying with internal and external laws,
regulations, policies, and procedures.
5
Essential Elements

• Compliance standards and procedures
• High level manager in charge
• Communicate what is important to all employees
• Monitor and Audit
• Confidential Reporting Mechanism
• Consistent enforcement and discipline
• Respond, learn, and adjust

6
Compliance COSO

• Control Environment
• Risk Assessment
• Control Activities
• Information Communication
• Monitoring

• Standards high level manager in charge
• Communicate what is important
• Monitoring Plans
• Awareness and reporting mechanisms
• Monitor and Audit

7
Developing the Action Plan

• Ad hoc committee to develop plan
• Outside assistance
• Words are so important
• Approval from highest authority possible
• It takes longer than you think
• It must have relevance to each individual employee

8
The First Six Months

• Establish the compliance committee structure
• Appoint a Compliance Officer
• Establish a compliance function
• Train the infrastructure employees

9
Compliance Committees

• Executive Compliance Committee (ECC)
• Compliance Working Committee (CWC)
• High-risk Sub-committees

10
ECC Purpose

• To provide the executive level decision-making
  function for the institutions compliance program
• To serve as an extension of the Board in
  providing the oversight function for the
  compliance program at the institution

11
ECC Duties and Responsibilities Provide Guidance
Direction

• Establish the policies for the compliance program
• Set the tone at the top for the institutions
  commitment to ethics, integrity, and doing the
  right thing
• Walk the talk that is, provide continuous
  example of how the institution expects employees
  to act

12
ECC Duties and Responsibilities Allocate
Appropriate Resources

• Appoint an senior executive as the Compliance
  Officer
• Appropriate resources are dictated by the
  complexity of the compliance environment of the
  institution
• Resources include budgets specifically for
  compliance infrastructure activities and the
  structuring of compliance activities into normal
  operational duties

13
ECC Duties and Responsibilities Oversee the
Institutions Compliance Program

• Understand the compliance risk picture of the
  institution
• Approve the Annual Compliance Operating Plan to
  manage the institution critical compliance risks
• Monitor the execution of the plan to manage
  compliance risks
• Review sanctions (for significant non-compliance
  instances) and rewards (for exemplary compliance
  efforts) to ensure equity and consistency

14
ECC Composition and Operation

• Senior executives
• Size is determined by compliance complexity and
  operating philosophy
• Meetings should be as frequently as necessary to
  perform duties and responsibilities but at least
  Quarterly
• Maintains minutes of meetings

15
Compliance Working Committee

• Composition the responsible party from each
  high-risk area
• Duties
• Receive periodic activity reports from each
  high-risk area
• Perform specific tasks assigned by Compliance
  Officer
• Recommend the Critical Risks to the ECC
• Act as Compliance Advocates Cheerleaders

16
High-Risk Area Sub-Committees

• Leader - Compliance Working Committee Member
  from High-risk area
• Members Employees representing each risk in the
  high-risk area
• Duties
• Perform risk assessment of the High-risk area
• Determine Critical Risks for the high-risk area
• Develop monitoring, specialized training, and
  reporting plans for the critical risks in the
  high-risk area

17
The Compliance Officer? Current Executive Staff
Member

• Pro
• Knows the culture
• Immediate start
• Network already established
• No reallocation of resources required
• Con
• Not the main job
• Compliance perceived as part of functional area
• Possibly conflicts with regular duties

18
The Compliance Officer? Create a New Executive
Staff Position

• Pros
• Main job
• Not attached to an existing functional area
• Cons
• Hiring process takes time
• Must learn institutional culture
• Must develop personal network
• Delays program implementation
• Reallocation of institutional resources required

19
Compliance Officer Responsibilities

• Make compliance a part of everyday activities of
  the institution
• Monitor the various compliance program activities
• Communicate with the chief executive officer and
  others regarding compliance program activities
• Establish a compliance function

20
Making Compliance a Part of Everyday Activities

• Awareness communication avenues
• Risk-based plan and compliance manual
• Training tools and delivery mechanisms
• Monitoring plans and assurance processes
• Confidential reporting mechanism
• Reporting procedures

21
Monitor Compliance Program Activities

• Training
• Critical risks monitoring plans
• Monitoring of Non-compliance

22
Communicate with Executive Management

• Instances of non-compliance that require
  executive action
• Risk-based plan
• Monitoring activities
• Compliance Working Committee meeting minutes
• Compliance program self-assessment

23
Establish the Compliance Function

• Robust compliance function
• Coordinator compliance function
• Informal compliance function
• No compliance function

24
Robust Compliance Function

• Complex compliance environment
• Full-time compliance officer
• Full-time support staff
• Separate budget and organizational chart
• Absorbs previously independent compliance
  activities such as medical billing or
  environmental health safety
• Usually found in health-related and major
  research-oriented institutions

25
Coordinator Compliance Function

• Complex compliance environment
• Compliance Officer has other pre-existing
  responsibilities and devotes little time
• Delegates daily operation of the compliance
  program to a coordinator
• Full-time support staff, usually with separate
  budget
• Usually found in academic institutions with some
  research, intercollegiate athletics, on-campus
  housing, etc.

26
Informal Compliance Function

• Limited compliance environment
• Full-time compliance officer
• Support staff comes from existing institutional
  operating units such as EHS, internal auditing,
  human resources, etc
• Budget limited and may be buried

27
No Compliance Function

• Limited compliance environment
• Compliance officer has other pre-existing
  functional responsibilities
• Support provided by compliance committee, other
  institutional units, and outsiders
• Budget usually for external help only
• Usually found in small institutions engaged
  mostly in undergraduate instruction

28
Compliance Officer and Function Summary

• Big job
• Compliance officer must be a communicator
• Compliance coordinator and staff need consultant,
  assurance provider mentality
• Start-up decisions and long-term decisions may
  not be the same

29
Code of Conduct

• Be careful of the words used
• Do not establish new policies and procedures
• Use a committee with broad representation of the
  university community to develop
• Include faculty up-front

30
General Compliance Training

• Curriculum
• Content
• Testing for Knowledge Transmission
• Delivery Mechanisms
• General Compliance Training Plan
• Initial effort
• Subsequent years

31
Risk AssessmentDefinition of Compliance Risks

• A compliance risk is the likelihood that an
  employee (faculty, administration, or staff) will
  fail to follow an internal policy or procedure or
  an external law, rule or regulation that applies
  to the activity in which they are engaged.

32
Risk Assessment Process

• Perform compliance risk assessment for each risk
  area of the institution
• Present area risk matrix to the Compliance
  Working Committee
• CWC prepares a risk matrix for the institution
  that includes each area and its critical risks
• CWC then re-determines the impact and probability
  of these risks from an institution perspective
  rather than an area perspective
• The result is the Institutional Compliance Risk
  Matrix

33
How To Determine Your Critical Risks

• This is determined by each institution
• Guidelines might be
• Items with HH and HM values (high impact/high
  probability and high impact/medium probability)
  should be on critical list
• Items with HL and MH may be on critical list

34
Validate Your Critical Risk List

• Compare your institutional critical risks to
  similar institutions or to available models
• Be able to explain rationale for any item on your
  critical list that is not on the other
  institution or model risk list
• Be able to explain rationale for any item on
  other institution or model risk list but not on
  your critical list

35
What About All the Other Compliance Risks

• Critical risks at every level must be managed
• Critical risks at every level require
• Responsible party
• Monitoring plan
• Specialized training plan
• Reporting plan
• Difference between critical risks at the
  different levels is who performs the oversight,
  on whom, and for whom

36
Oversight Controls for Critical Risks at All
Levels
37
Keep Up with Changing Risk Environment

• Centralized office to monitor external
  environment
• High Risk responsible parties monitor their
  respective high risk area internal and external
  environment
• Compliance Working Committee discusses
  environment and potential changes as a part of
  every meeting
• Annual assessment of both internal and external
  environment

38
Risk Assessment Summary

• Risk environment for your institution is unique
• Risk environment continuously changes
• Risk ranking changes with the environment
• Risk assessment is on-going, not periodic
• Be Prepared for change by Managing the Critical
  risks at every level of the institution

39
Managing Critical Risks

• Elements required for managing compliance
  critical risks
• Essential role of the responsible party in
  managing risks
• Attributes of monitoring plans that must be
  documented
• Specific details required for training plans
• Activities that should be reported in a sound
  reporting plan
• Definitive lessons that can be learned in the
  management of critical risks

40
Four Elements Required for Managing Critical
Risks

• Responsible party
• Monitoring plan
• Specialized training plan
• Reporting plan

41
Responsible Party Characteristics

• Exclusive responsibility for managing the risk
• Knowledge to manage the risk
• Authority to manage the risk

42
Lesson Learned

• If more than one responsible party is indicated,
  it usually means
• -- Risk should be split into multiple risks.
• -- One of the responsible parties does not
  fulfill the requirements of a responsible party
  usually the authority to manage is the
  requirement not met.
• -- True responsible party does not want to
  acknowledge responsibility.

43
Lesson Learned

• The Chief Executive Officer has a vested
  interest in having the appropriate staff member
  designated as the responsible party for each
  high-risk area because the responsible party is
  the CEOs direct representative in the on-going,
  everyday compliance assurance network.

44
Monitoring Plan

• Every step in a monitoring plan should already
  exist in the policies procedures that manage
  the risk
• The monitoring plan serves as the criteria for
  all types of assurance services
• The monitoring plan must include Level 1, Level
  2, and Level 3 controls
• The monitoring plan must indicate the
  documentation that is created by each of the
  levels of control

45
Assurance Continuum Levels of Control in COSO
Collaborative Assurance (Governance and
Management Control Processes)
Periodic Assurance
I----------I
I----------I
(Governance Control Processes)
I------------ On-going Assurance
------------I (Management Control Processes)
Level 1 Controls (Execution )
Level 3 Controls (Oversight)
Level 2 Controls (Supervisory)
Level 4 Controls (Internal Audit)
Level 4 Controls ( Internal Audit)
Pre-operations design review of on-going assurance
During execution of event or transaction
Immediately after execution of event or
transaction
Soon after execution of event or transaction
Post-operations audit of execution of on-going
assurance
46
Level 1 Controls(Execution Controls)

• Embedded in day-to-day operations
•      Policies and procedures
•      Segregation of Duties
•      Reconciliations/Comparisons
• Performed on every event/transaction
• Performed by the generators of the
  event/transaction
• Performed in real time as the
  event/transaction is executed

47
Level 2 Controls(Supervisory Controls)

• Re-application of operating controls
• Supervisory Review Quality Assurance Self
  Assessment
•   Performed very soon after the generation of
  the event/transaction
•    Performed by line management or staff
  positions who do not originate the
  event/transaction
•    Performed on a sample of the total number of
  events/transactions

 
48

Level 3 Controls(Oversight Controls)

• Exception reports, status reports, analytical
  reviews, variance analysis
• Performed by representatives of executive
  management
• Performed on information provided by supervisory
  management
• Performed within a short period (weeks/months)
  after the event/transaction is originated

49
Level 4 Controls(Internal Audit Controls)

• Audit of the design of controls not the
  operation of controls
• Performed either before the event/transaction
  is originated or long after
• Performed by staff with no involvement in the
  operations
• Performed on individual events/transactions for
  discovery only

50
Lesson Learned

• The best place to seek and get help in developing
  an appropriate monitoring plan is your internal
  audit department.

51
Specialized Training Plan

• Identifies
• Who is trained
• Level of knowledge transferred
• Frequency of training
• Provider of training

52
Specialized Training Matrix
53
Reporting Plan should include

• ? Activity to be reported
• Supervisory control activities detailed in
  monitoring plan
• Training activity detailed in training plan
• ? Items to be reported for each activity, such
  as number of transactions examined or number of
  employees trained
• ? Frequency of reporting for each activity
• ? Who receives the report for each activity

54
Supervisory control activities to be
reported

• The number or percentage of execution events or
  transactions in the universe and number examined
• The number or percentage of execution events or
  transactions that failed the control attribute
• The identified causes of failure
• The action taken to mitigate repetitive failure
• The need for process improvement
• The need to escalate the consequence of
  non-compliance to mitigate repetitive
  non-compliance

55
Examples

• Number of purchase contracts reviewed from the
  universe of contracts
• Number of purchase contracts that did not satisfy
  the competitive bidding process
• Identified causes of failure - such as, personal
  preference of requestor
• Action taken - such as, provided training to all
  buyers
• Process changes - such as modify computer program
  to include RFP and Award Designation
• Second instance for requestor - need to remove
  budget spending authority

56
Lesson Learned

• Managing the critical risks is a learning
  process that provides information about
• Level of compliance
• _ Instances of non-compliance and why they
  occur
• _ Effectiveness and/or need for specialized
  training

57
Managing Critical Risks Summary (1/2)

• Responsible party should have exclusive
  responsibility for the risk, knowledge to manage
  the risk, and authority to manage the risk.
• A monitoring plan is not new controls but an
  organized method of displaying controls that
  already should exist.
• Monitoring plans include execution, supervisory,
  and oversight controls and how they are
  documented
• Monitoring plans are the road map for all
  assurance services..

58
Managing Critical Risks Summary (2/2)

• A specialized training plan includes who will be
  trained, training content for each target group,
  training provider, and measurement techniques
  that will be used.
• A reporting plan includes what activity will be
  reported, the details to be reported for each
  activity, and to whom the reports will be
  directed.
• Managing the critical risks provides the ability
  to improve operations performance

59
Assurance Strategies

• Assurance strategies increase the confidence
  level that others have in the reliability and
  relevance of the compliance function.
• The goal is to give assurance about managing the
  critical risks and the compliance function
• Strategies are
• Certification
• Inspections and Agreed-upon procedures
• External Expert Peer Reviews
• Audits
• Other External Assurance Providers

60
Certifications

• ?Given by each manager or responsible party for
  their area/s
• ?Are essentially self-assessments
• ?Say that responsible parties are performing all
  operating and monitoring controls that are
  required
• ?Usually provides minimum confidence level
• ?Signed certifications provide increased value
• ?Are greatly enhanced if validated by compliance
  or internal auditing personnel
• ?Should be used for every operational unit

61
Lesson Learned

• ? Certifications should be used for every
  operational unit - even if additional assurance
  strategies are used.
• Provides level of assurance for
  functional areas
• Pushes managers to find out what is
  happening in their units before they
  certify

62
Inspections

• ?Are oversight controls
• ?Are on-going during current operating period
• ?Emphasize that responsible parties perform their
  supervisory controls
• ?Indicate that the plan in place to manage the
  critical risks is being followed

63
Criteria for the inspection process

• Uses the monitoring plan
• Uses the specialized training plan
• Compliance personnel (or others) examine
  records, individual transaction documentation,
  and corrective action documentation (if needed)
  and ensure correct reporting to the compliance
  officer.

64
Lesson Learned

• ? Acceptable inspection programs require the
  
  examination of DOCUMENTED evidence
• To verify that supervisory controls were
  performed
• To verify that corrective action was taken if
  appropriate

65
Agreed Upon Procedures

• Performed by Internal Auditing function
• ? An assurance for the compliance officer -
  almost exactly like an inspection
• ? Results are only reported to the Compliance
  Officer and Compliance Committee
• ? For Internal Auditing, this is a consulting
  service not an audit
• ? Procedures are actually contracted with the
  internal auditing department
• ? Internal auditing staff are working for the
  compliance function

66
Lesson Learned

• ? When internal auditing is performing the
  oversight function under contract or agreement
  with the compliance officer, the process is NOT
  an audit.

67
External Expert Peer Reviews

• External subject matter experts perform the
  review
• Professional stature of the peer review team
  will affect the value of the review
• External peer reviews may be the only feasible
  way to obtain assurance

68
Types of External Peer Reviews

• In lieu of compliance oversight
• Provided for compliance officer
• Provided by external peer review team subject
  matter experts
• 2. In lieu of internal audits
• Provided for CEO and governance function
• Provided by external peer review team subject
  matter experts
• Of the compliance program
• Provided for CEO and governance function
• Provided by external peer review team

69
Lesson Learned

• The compliance officer and compliance committee
  should have a formal agreement with the peer
  review team that is signed by each team member.
• Agreement should address confidentiality, who
  will receive the report, how to transmit
  sensitive information, destruction of working
  notes, etc.

70
Audits

• Subject to professional standards of the
  internal auditor
• Criteria used by the internal auditor would be
  the monitoring plan and specialized training plan
  for the critical risks
• Audit program will be designed to ensure that
  risks are properly managed with special emphasis
  on oversight controls and supervisory controls
• Working papers are the property of the internal
  auditing department
• Audit report is through normal audit process

71
Audits . . .

• ?design audits
• Requests to audit the design of the compliance
  program
• Internal Auditor and executive management
  agree upon the purpose of the audit
• ?information validation audits
• Requests for independent, objective party to
  audit
• Three parties involved group seeking
  assurance (executive management), group providing
  the information in question (compliance program),
  and the assurance provider (internal auditing)

72
Lesson Learned

• If specific instances of non-compliance are
  identified during the execution of the audit
  program, the internal auditor should report those
  specific instances of non-compliance to the
  compliance officer and the compliance committee.
• Specific instances of non-compliance will not be
  in the audit report.

73
Other External Assurance Providers

• Compliance officer, CEO, and governance
  function obtain assurance from other assurance
  providers.
• JCAHO External auditors
• Accreditation teams (SACS) Federal auditors
• Regulators

74
Lesson Learned

• Reports of all external evaluations should be
  filed with one particular institutional official,
  such as the general counsel, the internal
  auditor, the director of institutional research,
  or the chief risk officer.
• This will eliminate redundancy and will provide
  opportunities to distribute reports to all
  affected parties.

75
Deciding Which Assurance Strategy To Use

• Criteria depends on
• significance of the risk
• prior experience with risk and its
  management
• availability of cost effective assurance
  strategies
• confidence level needed

76

Assurance Strategies Matrix
77
Assurance Strategy Summary

• The primary focus of assurance is to increase the
  confidence of decision-makers to an acceptable
  level at the lowest cost.
• Each strategy is defined by service provided,
  provider, and information being validated.
• The examples presented show a wide range of
  strategies that give assurance.

78
Confidential Reporting Mechanism

• Methods Available
• Triage Process
• Relationship to Other Reporting Sites

79
Lesson Learned

• Confidential reporting mechanisms can not and
  should not be the primary mechanism for
  discovering and correcting non compliance!!!!!!!!

80
Line Management Responsibilities

• Process policies and procedures are the primary
  mechanism for discovering and correcting
  noncompliance
• Line management from the first line supervisor to
  the chief administrative officer are responsible
  for taking corrective action in cases of
  noncompliance

81
Pre-Determined Consequences for Noncompliance

• Ensures consistent, equitable action
• Influences employee and manager behavior
• Fulfills the Federal Sentencing Guidelines
  requirement for discipline and corrective action

82
What About Those Risks That Do Not Make the
Critical List?

• Manage at the appropriate level
• Be sure the four essentials are present
• Responsible party
• Monitoring Plan
• Specialized Training Plan
• Reporting Plan
• Be prepared for changes in your risk environment

83
Whats Next?Learn and Renew

• Develop a self assessment instrument
• Conduct a self assessment
• Undergo an External Peer Review
• Develop a new Action Plan
• Do It!

84
www.utsystem.edu/compliance