Best Practices in Implementing an Effective Compliance Program

About This Presentation

Title:

Best Practices in Implementing an Effective Compliance Program

Description:

Determine Critical Risks for the high-risk area ... Compare your institutional critical risks to similar institutions or to available models ... – PowerPoint PPT presentation

Number of Views:168

Avg rating:3.0/5.0

Slides: 85

Provided by: aud84

Category:

more less

Transcript and Presenter's Notes

Title: Best Practices in Implementing an Effective Compliance Program

1
Best Practices in Implementing an Effective
Compliance Program

Presented By David B. Crawford, CIA,
CCSA Justina Crawford, MA, BME JDEnterprises cr
awfordjd_at_earthlink.net
2
Agenda

Introduction
Essentials of An Effective Compliance Program
How to Begin
The First Six Months
Code of Conduct and General Compliance Training

3
Agenda(continued)

Risk Assessment
Managing the Critical Risks
Assurance Strategies
Handling Potential and Actual Instances of
Non-compliance
What About the Non-critical Risks?
Whats Next?

4
Compliance Program Objective
To provide an infrastructure that facilitates
on-going assurance that the institution is
complying with internal and external laws,
regulations, policies, and procedures.
5
Essential Elements

Compliance standards and procedures
High level manager in charge
Communicate what is important to all employees
Monitor and Audit
Confidential Reporting Mechanism
Consistent enforcement and discipline
Respond, learn, and adjust

6
Compliance COSO

Control Environment
Risk Assessment
Control Activities
Information Communication
Monitoring

Standards high level manager in charge
Communicate what is important
Monitoring Plans
Awareness and reporting mechanisms
Monitor and Audit

7
Developing the Action Plan

Ad hoc committee to develop plan
Outside assistance
Words are so important
Approval from highest authority possible
It takes longer than you think
It must have relevance to each individual employee

8
The First Six Months

Establish the compliance committee structure
Appoint a Compliance Officer
Establish a compliance function
Train the infrastructure employees

9
Compliance Committees

Executive Compliance Committee (ECC)
Compliance Working Committee (CWC)
High-risk Sub-committees

10
ECC Purpose

To provide the executive level decision-making
function for the institutions compliance program
To serve as an extension of the Board in
providing the oversight function for the
compliance program at the institution

11
ECC Duties and Responsibilities Provide Guidance
Direction

Establish the policies for the compliance program
Set the tone at the top for the institutions
commitment to ethics, integrity, and doing the
right thing
Walk the talk that is, provide continuous
example of how the institution expects employees
to act

12
ECC Duties and Responsibilities Allocate
Appropriate Resources

Appoint an senior executive as the Compliance
Officer
Appropriate resources are dictated by the
complexity of the compliance environment of the
institution
Resources include budgets specifically for
compliance infrastructure activities and the
structuring of compliance activities into normal
operational duties

13
ECC Duties and Responsibilities Oversee the
Institutions Compliance Program

Understand the compliance risk picture of the
institution
Approve the Annual Compliance Operating Plan to
manage the institution critical compliance risks
Monitor the execution of the plan to manage
compliance risks
Review sanctions (for significant non-compliance
instances) and rewards (for exemplary compliance
efforts) to ensure equity and consistency

14
ECC Composition and Operation

Senior executives
Size is determined by compliance complexity and
operating philosophy
Meetings should be as frequently as necessary to
perform duties and responsibilities but at least
Quarterly
Maintains minutes of meetings

15
Compliance Working Committee

Composition the responsible party from each
high-risk area
Duties
Receive periodic activity reports from each
high-risk area
Perform specific tasks assigned by Compliance
Officer
Recommend the Critical Risks to the ECC
Act as Compliance Advocates Cheerleaders

16
High-Risk Area Sub-Committees

Leader - Compliance Working Committee Member
from High-risk area
Members Employees representing each risk in the
high-risk area
Duties
Perform risk assessment of the High-risk area
Determine Critical Risks for the high-risk area
Develop monitoring, specialized training, and
reporting plans for the critical risks in the
high-risk area

17
The Compliance Officer? Current Executive Staff
Member

Pro
Knows the culture
Immediate start
Network already established
No reallocation of resources required
Con
Not the main job
Compliance perceived as part of functional area
Possibly conflicts with regular duties

18
The Compliance Officer? Create a New Executive
Staff Position

Pros
Main job
Not attached to an existing functional area
Cons
Hiring process takes time
Must learn institutional culture
Must develop personal network
Delays program implementation
Reallocation of institutional resources required

19
Compliance Officer Responsibilities

Make compliance a part of everyday activities of
the institution
Monitor the various compliance program activities
Communicate with the chief executive officer and
others regarding compliance program activities
Establish a compliance function

20
Making Compliance a Part of Everyday Activities

Awareness communication avenues
Risk-based plan and compliance manual
Training tools and delivery mechanisms
Monitoring plans and assurance processes
Confidential reporting mechanism
Reporting procedures

21
Monitor Compliance Program Activities

Training
Critical risks monitoring plans
Monitoring of Non-compliance

22
Communicate with Executive Management

Instances of non-compliance that require
executive action
Risk-based plan
Monitoring activities
Compliance Working Committee meeting minutes
Compliance program self-assessment

23
Establish the Compliance Function

Robust compliance function
Coordinator compliance function
Informal compliance function
No compliance function

24
Robust Compliance Function

Complex compliance environment
Full-time compliance officer
Full-time support staff
Separate budget and organizational chart
Absorbs previously independent compliance
activities such as medical billing or
environmental health safety
Usually found in health-related and major
research-oriented institutions

25
Coordinator Compliance Function

Complex compliance environment
Compliance Officer has other pre-existing
responsibilities and devotes little time
Delegates daily operation of the compliance
program to a coordinator
Full-time support staff, usually with separate
budget
Usually found in academic institutions with some
research, intercollegiate athletics, on-campus
housing, etc.

26
Informal Compliance Function

Limited compliance environment
Full-time compliance officer
Support staff comes from existing institutional
operating units such as EHS, internal auditing,
human resources, etc
Budget limited and may be buried

27
No Compliance Function

Limited compliance environment
Compliance officer has other pre-existing
functional responsibilities
Support provided by compliance committee, other
institutional units, and outsiders
Budget usually for external help only
Usually found in small institutions engaged
mostly in undergraduate instruction

28
Compliance Officer and Function Summary

Big job
Compliance officer must be a communicator
Compliance coordinator and staff need consultant,
assurance provider mentality
Start-up decisions and long-term decisions may
not be the same

29
Code of Conduct

Be careful of the words used
Do not establish new policies and procedures
Use a committee with broad representation of the
university community to develop
Include faculty up-front

30
General Compliance Training

Curriculum
Content
Testing for Knowledge Transmission
Delivery Mechanisms
General Compliance Training Plan
Initial effort
Subsequent years

31
Risk AssessmentDefinition of Compliance Risks

A compliance risk is the likelihood that an
employee (faculty, administration, or staff) will
fail to follow an internal policy or procedure or
an external law, rule or regulation that applies
to the activity in which they are engaged.

32
Risk Assessment Process

Perform compliance risk assessment for each risk
area of the institution
Present area risk matrix to the Compliance
Working Committee
CWC prepares a risk matrix for the institution
that includes each area and its critical risks
CWC then re-determines the impact and probability
of these risks from an institution perspective
rather than an area perspective
The result is the Institutional Compliance Risk
Matrix

33
How To Determine Your Critical Risks

This is determined by each institution
Guidelines might be
Items with HH and HM values (high impact/high
probability and high impact/medium probability)
should be on critical list
Items with HL and MH may be on critical list

34
Validate Your Critical Risk List

Compare your institutional critical risks to
similar institutions or to available models
Be able to explain rationale for any item on your
critical list that is not on the other
institution or model risk list
Be able to explain rationale for any item on
other institution or model risk list but not on
your critical list

35
What About All the Other Compliance Risks

Critical risks at every level must be managed
Critical risks at every level require
Responsible party
Monitoring plan
Specialized training plan
Reporting plan
Difference between critical risks at the
different levels is who performs the oversight,
on whom, and for whom

36
Oversight Controls for Critical Risks at All
Levels
37
Keep Up with Changing Risk Environment

Centralized office to monitor external
environment
High Risk responsible parties monitor their
respective high risk area internal and external
environment
Compliance Working Committee discusses
environment and potential changes as a part of
every meeting
Annual assessment of both internal and external
environment

38
Risk Assessment Summary

Risk environment for your institution is unique
Risk environment continuously changes
Risk ranking changes with the environment
Risk assessment is on-going, not periodic
Be Prepared for change by Managing the Critical
risks at every level of the institution

39
Managing Critical Risks

Elements required for managing compliance
critical risks
Essential role of the responsible party in
managing risks
Attributes of monitoring plans that must be
documented
Specific details required for training plans
Activities that should be reported in a sound
reporting plan
Definitive lessons that can be learned in the
management of critical risks

40
Four Elements Required for Managing Critical
Risks

Responsible party
Monitoring plan
Specialized training plan
Reporting plan

41
Responsible Party Characteristics

Exclusive responsibility for managing the risk
Knowledge to manage the risk
Authority to manage the risk

42
Lesson Learned

If more than one responsible party is indicated,
it usually means
-- Risk should be split into multiple risks.
-- One of the responsible parties does not
fulfill the requirements of a responsible party
usually the authority to manage is the
requirement not met.
-- True responsible party does not want to
acknowledge responsibility.

43
Lesson Learned

The Chief Executive Officer has a vested
interest in having the appropriate staff member
designated as the responsible party for each
high-risk area because the responsible party is
the CEOs direct representative in the on-going,
everyday compliance assurance network.

44
Monitoring Plan

Every step in a monitoring plan should already
exist in the policies procedures that manage
the risk
The monitoring plan serves as the criteria for
all types of assurance services
The monitoring plan must include Level 1, Level
2, and Level 3 controls
The monitoring plan must indicate the
documentation that is created by each of the
levels of control

45
Assurance Continuum Levels of Control in COSO
Collaborative Assurance (Governance and
Management Control Processes)
Periodic Assurance
I----------I
I----------I
(Governance Control Processes)
I------------ On-going Assurance
------------I (Management Control Processes)
Level 1 Controls (Execution )
Level 3 Controls (Oversight)
Level 2 Controls (Supervisory)
Level 4 Controls (Internal Audit)
Level 4 Controls ( Internal Audit)
Pre-operations design review of on-going assurance
During execution of event or transaction
Immediately after execution of event or
transaction
Soon after execution of event or transaction
Post-operations audit of execution of on-going
assurance
46
Level 1 Controls(Execution Controls)

Embedded in day-to-day operations
Policies and procedures
Segregation of Duties
Reconciliations/Comparisons
Performed on every event/transaction
Performed by the generators of the
event/transaction
Performed in real time as the
event/transaction is executed

47
Level 2 Controls(Supervisory Controls)

Re-application of operating controls
Supervisory Review Quality Assurance Self
Assessment
Performed very soon after the generation of
the event/transaction
Performed by line management or staff
positions who do not originate the
event/transaction
Performed on a sample of the total number of
events/transactions

48

Level 3 Controls(Oversight Controls)

Exception reports, status reports, analytical
reviews, variance analysis
Performed by representatives of executive
management
Performed on information provided by supervisory
management
Performed within a short period (weeks/months)
after the event/transaction is originated

49
Level 4 Controls(Internal Audit Controls)

Audit of the design of controls not the
operation of controls
Performed either before the event/transaction
is originated or long after
Performed by staff with no involvement in the
operations
Performed on individual events/transactions for
discovery only

50
Lesson Learned

The best place to seek and get help in developing
an appropriate monitoring plan is your internal
audit department.

51
Specialized Training Plan

Identifies
Who is trained
Level of knowledge transferred
Frequency of training
Provider of training

52
Specialized Training Matrix
53
Reporting Plan should include

? Activity to be reported
Supervisory control activities detailed in
monitoring plan
Training activity detailed in training plan
? Items to be reported for each activity, such
as number of transactions examined or number of
employees trained
? Frequency of reporting for each activity
? Who receives the report for each activity

54
Supervisory control activities to be
reported

The number or percentage of execution events or
transactions in the universe and number examined
The number or percentage of execution events or
transactions that failed the control attribute
The identified causes of failure
The action taken to mitigate repetitive failure
The need for process improvement
The need to escalate the consequence of
non-compliance to mitigate repetitive
non-compliance

55
Examples

Number of purchase contracts reviewed from the
universe of contracts
Number of purchase contracts that did not satisfy
the competitive bidding process
Identified causes of failure - such as, personal
preference of requestor
Action taken - such as, provided training to all
buyers
Process changes - such as modify computer program
to include RFP and Award Designation
Second instance for requestor - need to remove
budget spending authority

56
Lesson Learned

Managing the critical risks is a learning
process that provides information about
Level of compliance
_ Instances of non-compliance and why they
occur
_ Effectiveness and/or need for specialized
training

57
Managing Critical Risks Summary (1/2)

Responsible party should have exclusive
responsibility for the risk, knowledge to manage
the risk, and authority to manage the risk.
A monitoring plan is not new controls but an
organized method of displaying controls that
already should exist.
Monitoring plans include execution, supervisory,
and oversight controls and how they are
documented
Monitoring plans are the road map for all
assurance services..

58
Managing Critical Risks Summary (2/2)

A specialized training plan includes who will be
trained, training content for each target group,
training provider, and measurement techniques
that will be used.
A reporting plan includes what activity will be
reported, the details to be reported for each
activity, and to whom the reports will be
directed.
Managing the critical risks provides the ability
to improve operations performance

59
Assurance Strategies

Assurance strategies increase the confidence
level that others have in the reliability and
relevance of the compliance function.
The goal is to give assurance about managing the
critical risks and the compliance function
Strategies are
Certification
Inspections and Agreed-upon procedures
External Expert Peer Reviews
Audits
Other External Assurance Providers

60
Certifications

?Given by each manager or responsible party for
their area/s
?Are essentially self-assessments
?Say that responsible parties are performing all
operating and monitoring controls that are
required
?Usually provides minimum confidence level
?Signed certifications provide increased value
?Are greatly enhanced if validated by compliance
or internal auditing personnel
?Should be used for every operational unit

61
Lesson Learned

? Certifications should be used for every
operational unit - even if additional assurance
strategies are used.
Provides level of assurance for
functional areas
Pushes managers to find out what is
happening in their units before they
certify

62
Inspections

?Are oversight controls
?Are on-going during current operating period
?Emphasize that responsible parties perform their
supervisory controls
?Indicate that the plan in place to manage the
critical risks is being followed

63
Criteria for the inspection process

Uses the monitoring plan
Uses the specialized training plan
Compliance personnel (or others) examine
records, individual transaction documentation,
and corrective action documentation (if needed)
and ensure correct reporting to the compliance
officer.

64
Lesson Learned

? Acceptable inspection programs require the

examination of DOCUMENTED evidence
To verify that supervisory controls were
performed
To verify that corrective action was taken if
appropriate

65
Agreed Upon Procedures

Performed by Internal Auditing function
? An assurance for the compliance officer -
almost exactly like an inspection
? Results are only reported to the Compliance
Officer and Compliance Committee
? For Internal Auditing, this is a consulting
service not an audit
? Procedures are actually contracted with the
internal auditing department
? Internal auditing staff are working for the
compliance function

66
Lesson Learned

? When internal auditing is performing the
oversight function under contract or agreement
with the compliance officer, the process is NOT
an audit.

67
External Expert Peer Reviews

External subject matter experts perform the
review
Professional stature of the peer review team
will affect the value of the review
External peer reviews may be the only feasible
way to obtain assurance

68
Types of External Peer Reviews

In lieu of compliance oversight
Provided for compliance officer
Provided by external peer review team subject
matter experts
2. In lieu of internal audits
Provided for CEO and governance function
Provided by external peer review team subject
matter experts
Of the compliance program
Provided for CEO and governance function
Provided by external peer review team

69
Lesson Learned

The compliance officer and compliance committee
should have a formal agreement with the peer
review team that is signed by each team member.
Agreement should address confidentiality, who
will receive the report, how to transmit
sensitive information, destruction of working
notes, etc.

70
Audits

Subject to professional standards of the
internal auditor
Criteria used by the internal auditor would be
the monitoring plan and specialized training plan
for the critical risks
Audit program will be designed to ensure that
risks are properly managed with special emphasis
on oversight controls and supervisory controls
Working papers are the property of the internal
auditing department
Audit report is through normal audit process

71
Audits . . .

?design audits
Requests to audit the design of the compliance
program
Internal Auditor and executive management
agree upon the purpose of the audit
?information validation audits
Requests for independent, objective party to
audit
Three parties involved group seeking
assurance (executive management), group providing
the information in question (compliance program),
and the assurance provider (internal auditing)

72
Lesson Learned

If specific instances of non-compliance are
identified during the execution of the audit
program, the internal auditor should report those
specific instances of non-compliance to the
compliance officer and the compliance committee.
Specific instances of non-compliance will not be
in the audit report.

73
Other External Assurance Providers

Compliance officer, CEO, and governance
function obtain assurance from other assurance
providers.
JCAHO External auditors
Accreditation teams (SACS) Federal auditors
Regulators

74
Lesson Learned

Reports of all external evaluations should be
filed with one particular institutional official,
such as the general counsel, the internal
auditor, the director of institutional research,
or the chief risk officer.
This will eliminate redundancy and will provide
opportunities to distribute reports to all
affected parties.

75
Deciding Which Assurance Strategy To Use

Criteria depends on
significance of the risk
prior experience with risk and its
management
availability of cost effective assurance
strategies
confidence level needed

76

Assurance Strategies Matrix
77
Assurance Strategy Summary

The primary focus of assurance is to increase the
confidence of decision-makers to an acceptable
level at the lowest cost.
Each strategy is defined by service provided,
provider, and information being validated.
The examples presented show a wide range of
strategies that give assurance.

78
Confidential Reporting Mechanism

Methods Available
Triage Process
Relationship to Other Reporting Sites

79
Lesson Learned

Confidential reporting mechanisms can not and
should not be the primary mechanism for
discovering and correcting non compliance!!!!!!!!

80
Line Management Responsibilities

Process policies and procedures are the primary
mechanism for discovering and correcting
noncompliance
Line management from the first line supervisor to
the chief administrative officer are responsible
for taking corrective action in cases of
noncompliance

81
Pre-Determined Consequences for Noncompliance

Ensures consistent, equitable action
Influences employee and manager behavior
Fulfills the Federal Sentencing Guidelines
requirement for discipline and corrective action

82
What About Those Risks That Do Not Make the
Critical List?