Compliance Essentials Training Session

1
Compliance Essentials Training Session Managing
the A Risks Presented by August 3, 2006
Charlie Chaffin Director of Audits and
System-wide Compliance Officer
2
Outline

• Elements required for managing compliance A
  risks
• Role and responsibilities
• Breakout topics

3
The Elements

• Risk MANAGEMENT Process for A risks
• Single High-Level Responsible Party
  Accountability
• Exclusive responsibility for managing the risk
• Knowledge and authority to manage risk
• Specialized Training Plan
• Risk Specific To whom, what knowledge,
  frequency, by whom
• Monitoring Plan
• How do you know if you are following the rules?
• Reporting Plan
• Report Cards to Compliance Officer and/or
  President, corrective action
• What activity and items to be reported,
  frequency, by and for whom

4
Monitoring Plans

• What does a monitoring plan include?
• Operating (execution) controls
• Supervisory (monitoring) controls
• Oversight (executive) controls
• Indicates the documentary evidence that is
  created by each level of control
• There must be a documented trail left by the
  supervisor that can be verified by an oversight
  reviewer
• A monitoring plan serves as the roadmap for all
  types of assurance services
• A monitoring plan should not be new controls
• Every step in a monitoring plan should already
  exist in the policies and procedures that manage
  the risk
• However, this may not be the case and new
  controls need to be put into place

5
Sample Monitoring Plan Format
6
Monitoring Plan Control Levels

• Level 1 Execution/Operating Controls
• Controls that must be applied to manage the risk
  to an acceptable level
• Embedded in day-to-day operations, and includes
• Policies and procedures segregation of duties
  reconciliations/comparisons data integrity
• Performed on every transaction in real time by
  the generators of the event

7
Monitoring Plan Control Levels

• Level 2 Supervisory/Monitoring Controls
• Re-application of execution/operating controls
• Supervisory review quality assurance self
  assessment
• Performed on a sample of total events soon after
  the transaction
• By line management or staff positions not
  originating the event

8
Monitoring Plan Control Levels

• Level 3 Oversight/Executive Controls
• Procedures to ensure that supervisory and/or
  operating controls have been applied as designed
• Exception reports, status reports, analytical
  reviews, variance analysis
• Performed weeks to months after event/transaction
  originated
• Performed by senior management not part of
  day-to-day operations

9
Monitoring Plan Control Levels

• Level 4 Assurance Activities
• Processes that increase the confidence level that
  executive management has in both the reliability
  and relevance of risk management activities
• Assurance levels of high risk areas
• Certifications by management (self-assessments)
• Inspections by the Compliance Office or Internal
  Audit
• Internal or External Audits Information
  validation and/or Design audit
• Peer review/External Review
• Performed long after event/transaction originated
• Often performed by staff with no involvement in
  the operations
• Performed on sample, individual events for
  discovery and validation

10
Involvement In Process
ITEMSAFFECTED
Levels of Internal Control
None
Isolated Items

Little
Exceptions, status
Some
Level 4 Assurance
Sample of Transactions
Totally
Level 3 - Oversight
Level 2 - Supervisory
Every Transaction
Level 1 - Execution
UT System Audit Office David B. Crawford 07/28/99
Real Time
Soon After
Annually
Periodically
TIME
11
Responsible Party Role

• Responsible Party
• Risk Assessments Identifies compliance risks
  for their risk area
• Risk Management plans Created for their high
  compliance risk area
• Specialized Training Developed and provided to
  appropriate personnel by appropriate content
  experts
• Monitoring Plans Created and are being executed
• Monitoring Activities Validate that Level 2 3
  controls are being carried out consistently as
  designed
• Report To Compliance Office, supervisory
  control and specialized training activities,
  including causes of failure and corrective
  actions
• Predetermined consequences Established and/or
  communicated for non-compliance with controls
  (e.g. failure to pass audit suspension of
  billing)
• Reassess the Environment Monitors the changing
  environment

12
Compliance Office Role

• Compliance Office Provides assurance that an
  effectively designed compliance program for the
  institutional high compliance risk areas have
  been implemented...
• Are responsible parties performing their duties
  and monitoring activities?
• Are risk assessments taking place?
  Facilitate/train as needed
• Are risk management plans in place for all high
  compliance risk areas?
• Single high-level responsible party?
• Area risk assessments conducted
• Specialized training provided to appropriate
  personnel, by appropriate content experts?
• Monitoring plans in place and being executed for
  all high compliance risk areas? Facilitate/Train
  as needed
• Is the reporting to the compliance office being
  done? Corrective actions implemented?

13
Compliance Office Role

• And also to perform monitoring activities to
  ensure that they are, in fact, operating
  effectively
• Determine if training is being performed in
  accordance with the training plan
• Review training content quality sign-in sheets
  to ensure training being performed
• Determine if the responsible person is monitoring
  compliance as stated in the monitoring plan
• Spot check (inspect) of subset of responsible
  party monitoring activities to validate
• Examine documentation maintained by the
  responsible person to ensure that monitoring is
  being documented
• Does monitoring plan appear reasonable? Is it
  measurable, sufficient to ensure compliance,
  etc.?
• Determine if reporting is being performed in
  accordance with the reporting plan
• Review reporting documentation
• Does reporting include identified causes of
  failure, recommendations to mitigate repetitive
  failure? Has corrective action been taken?
  Specialized training status?

Q On which risks should the Compliance Office
do this?
14
Assurance at Different Risk Levels
15
Monitoring Plan Oversight Matrix
Key learning Compliance office must have
expertise in the risk area to provide effective
oversight. What if you don't have the expertise?

16
Discussion Topics
17
Monitoring Plan Oversight Matrix - Research

18
Monitoring Plan Oversight Matrix Human Subjects

19
Monitoring Plan Oversight Matrix EHS

20
Monitoring Plan Oversight Matrix - NCAA

21
Monitoring Plan Oversight Matrix Medical
Billing

22
Monitoring Plan Oversight Matrix Endowments

23
Discussion Questions

• Which department risks are you going to include
  on your institutional level A risks? How do
  you decide?
• How can I effectively monitor 200 critical risk
  items?
• How much work should we perform in an inspection
  of a high risk item?
• How frequently should internal audit be asked to
  perform a design audit of the compliance program?
  Of institutional high risk areas?
• Is there a standard self-assessment tool that we
  could use for the executive compliance committee
  and for the high-risk area working group?

24
Backup
25
Monitoring Plan Matrix
26
Specialized Training

• The specialized training plan identifies
• Who is trained
• Level of knowledge transferred
• Frequency of training
• Provider of training
• Testing methodology