auditing and monitoring - cook

66thth Annual Conference for Annual Conference for Effective Compliance Systems in Effective Compliance Systems in

Higher EducationHigher Education

Monitoring PlanMonitoring Plan

June 2, 2008June 2, 2008

Mary CookMary CookUniversity of HoustonUniversity of [email protected]@uhd.edu (713) 222(713) 222--53405340

Overview of SessionOverview of Session

Developmental StagesDevelopmental Stages

Review Monitoring Plan Review Monitoring Plan (Optimization Form)(Optimization Form)

Lessons LearnedLessons Learned

QuestionsQuestions


By the BookBy the BookEffective Compliance Systems: A Practical Effective Compliance Systems: A Practical Guide for Educational Institutions by David Guide for Educational Institutions by David Crawford, Charles Chaffin and Scott Crawford, Charles Chaffin and Scott ScarboroughScarborough

Components of and Effective Compliance Components of and Effective Compliance ProgramProgram

Summarized the key points in the book to both Summarized the key points in the book to both clarify for myself and provide training for the clarify for myself and provide training for the UHD Institutional Compliance CommitteeUHD Institutional Compliance Committee

Developmental StagesDevelopmental StagesInitial Risk AssessmentInitial Risk Assessment

BottomBottom--Up Risk Assessment with participation Up Risk Assessment with participation of subject matter experts of subject matter experts (See (See ““Attachment I: Attachment I: Quick ReferenceQuick Reference”” handout)handout)

UH System specified risk areasUH System specified risk areas

Reviewed each Risk Assessment Matrix (VP of Reviewed each Risk Assessment Matrix (VP of Administration, Compliance Officer and Subject Administration, Compliance Officer and Subject Matter ExpertsMatter Experts

““A Risk ListA Risk List”” (HH and HM) (HH and HM) –– Institutional Compliance Institutional Compliance Committee riskCommittee risk

““B Risk ListB Risk List”” (All Others) (All Others) –– Work Unit riskWork Unit risk


Document Existing ControlsDocument Existing Controls

Started with what we were already doingStarted with what we were already doing

Completion of the Risk Assessment Matrix and Completion of the Risk Assessment Matrix and the Monitoring Plan revealed the controls that the Monitoring Plan revealed the controls that needs to be addedneeds to be added

Initial Monitoring Plan based upon Initial Monitoring Plan based upon ““The Green The Green BookBook”” format format (See (See ““Attachment II: Initial Attachment II: Initial Monitoring PlanMonitoring Plan””)) and later converted to the and later converted to the ““Optimization FormOptimization Form”” (See (See ““Attachment III: Attachment III: Monitoring Plan / Optimization FormMonitoring Plan / Optimization Form””))





QuestionsQuestions

Monitoring Plan / Optimization FormMonitoring Plan / Optimization Form

Value of the Optimization FormValue of the Optimization Form

Consolidates risk, controls and evidence of Consolidates risk, controls and evidence of controls on one spreadsheetcontrols on one spreadsheet

Eliminates duplication of controls and displays Eliminates duplication of controls and displays single control across multiple risks single control across multiple risks

Controls also address many of the work unit Controls also address many of the work unit risk (risk (““B Risk List)B Risk List)

Facilitates ongoing, more effective monitoring Facilitates ongoing, more effective monitoring of risk and controlsof risk and controls

Identifies the true Identifies the true ““Responsible PartyResponsible Party””

Monitoring Plan/Optimization Form Overview Monitoring Plan/Optimization Form Overview Upper Right Hand CornerUpper Right Hand Corner

Identifies:Identifies:

Compliance SectionCompliance Section: Financial Aid: Financial Aid

Responsible PartyResponsible Party: Vice President of Student : Vice President of Student Services and EnrollmentServices and Enrollment

Risk Matrix (and Monitoring Plan) Prepared ByRisk Matrix (and Monitoring Plan) Prepared By: : Executive Director and Director of Scholarships Executive Director and Director of Scholarships & Financial Aid (Subject matter experts)& Financial Aid (Subject matter experts)

Monitoring Plan/Optimization Form Overview Monitoring Plan/Optimization Form Overview Worksheet ColumnsWorksheet Columns

Identified Risk (Risk Assessment Matrix)Identified Risk (Risk Assessment Matrix)3rd Set3rd Set

Evidence of ControlEvidence of Control4th4th

Ongoing Monitoring UpdatesOngoing Monitoring Updates7th Set7th Set

Monitoring FrequencyMonitoring Frequency6th6th

Predetermined Consequences if Employee is Predetermined Consequences if Employee is Found to be in NonFound to be in Non--ComplianceCompliance

5th5th

Actual Controls for Specific Risk AreasActual Controls for Specific Risk Areas2nd2nd

Level of ControlLevel of Control1st 1st

ContentContentColumnColumn

Monitoring Plan/Optimization Form Overview Monitoring Plan/Optimization Form Overview 11stst Column Column –– Level of ControlLevel of Control

Level 1: Operating ControlLevel 1: Operating Control –– Real time work done by staff Real time work done by staff Controls required to move transactions through the process Controls required to move transactions through the process using the policies and procedures that govern the process.using the policies and procedures that govern the process.

Level 2: Supervisory ControlLevel 2: Supervisory Control –– Ensures work has been done correctly Ensures work has been done correctly Rework / spot check of a sample or all of the Level 1 Operating Rework / spot check of a sample or all of the Level 1 Operating Controls to verification the workControls to verification the work

Level 3: Supervisory/Oversight ControlLevel 3: Supervisory/Oversight Control –– Determines if Level 1 and Determines if Level 1 and Level 2 Controls appear to be workingLevel 2 Controls appear to be working

Review of the exceptions, errors, complaints, or analysis of Review of the exceptions, errors, complaints, or analysis of accumulated data accumulated data Investigation or review of something that has already happened Investigation or review of something that has already happened and appears to be noncompliantand appears to be noncompliant

An appropriate internal control structure must have An appropriate internal control structure must have a mix of Level 1, Level 2, and Level 3 Controlsa mix of Level 1, Level 2, and Level 3 Controls

Level 1 ControlsLevel 1 Controls offer no assurance that the process is offer no assurance that the process is operating to minimize risksoperating to minimize risks

Level 2 and Level 3 ControlsLevel 2 and Level 3 Controls provide information on how provide information on how well the employees are following the operating controlswell the employees are following the operating controls

A mix of the three levels of control is neededA mix of the three levels of control is needed; however, ; however, every Level 1 Control does not have to have a Level 2 or every Level 1 Control does not have to have a Level 2 or Level 3 ControlLevel 3 Control

Monitoring Plan/Optimization Form OverviewMonitoring Plan/Optimization Form Overview11stst Column Column –– Level of Control Level of Control (cont.)(cont.)

Monitoring Plan/Optimization Form Overview Monitoring Plan/Optimization Form Overview 11stst Column Column –– Level of ControlLevel of Control (cont.)(cont.)

Level 4: AuditLevel 4: Audit –– Internal and external audit to: Internal and external audit to:

Verify work is being done correctly and/or Verify work is being done correctly and/or Investigate potential noncompliance Investigate potential noncompliance

Not necessarily included on the Not necessarily included on the ““Monitoring Plan / Monitoring Plan / Optimization FormOptimization Form”” but a part of the overall but a part of the overall

risk/control assessment program are Level 4 Controlsrisk/control assessment program are Level 4 Controls

Monitoring Plan/Optimization Form Overview Monitoring Plan/Optimization Form Overview 22ndnd Column Column –– ControlsControls

Level 1 Level 1 –– Operating ControlOperating Control -- The goal is to mitigate the The goal is to mitigate the risk to an acceptable level. Too many controls risk to an acceptable level. Too many controls utilize resources without corresponding benefit. Too utilize resources without corresponding benefit. Too few controls allow a higher then desired level of risk.few controls allow a higher then desired level of risk.

Level 2 and Level 3 Level 2 and Level 3 –– Supervisory ControlSupervisory Control -- The goal is The goal is to demonstrate the operating control is being to demonstrate the operating control is being appliedapplied as intended.as intended.

DonDon’’t reinvent the wheel! t reinvent the wheel! Start with the controls you already have in place.Start with the controls you already have in place.

Start with the Operating Controls identified in the Start with the Operating Controls identified in the Risk Assessment MatrixRisk Assessment Matrix

For each row, list the Operating Control from the Risk For each row, list the Operating Control from the Risk Assessment Matrix/Monitoring Plan. Assessment Matrix/Monitoring Plan.

Immediately following that Operating Control, list the Immediately following that Operating Control, list the associated Supervisory associated Supervisory Control(sControl(s).).

Include internal/external training and controls for Include internal/external training and controls for potential/actual noncompliance.potential/actual noncompliance.

A single control typically operates on multiple risks. A single control typically operates on multiple risks. The control should only appear on the spreadsheet The control should only appear on the spreadsheet one time.one time.

Monitoring Plan/Optimization Form Overview Monitoring Plan/Optimization Form Overview 22ndnd Column Column –– ControlsControls

Monitoring Plan/Optimization Form Overview Monitoring Plan/Optimization Form Overview 33rdrd Set of Columns Set of Columns –– Specific RiskSpecific Risk

One column for each risk identified in the Risk One column for each risk identified in the Risk Assessment MatrixAssessment Matrix

Start with the highest risk. All Start with the highest risk. All HHHH’’ss (Impact/Probability) (Impact/Probability) should be listed first, then HMshould be listed first, then HM’’s, and so on.s, and so on.

Be sure each risk is a single risk. For example, fraud and Be sure each risk is a single risk. For example, fraud and unintentional error are two separate risks.unintentional error are two separate risks.

Reference Reference ““Attachment II: Initial Monitoring PlanAttachment II: Initial Monitoring Plan””The Summary, Legal Basis, Applicable Institution Policy, The Summary, Legal Basis, Applicable Institution Policy, Specific Risk and Enforcement Mechanisms information was Specific Risk and Enforcement Mechanisms information was added as a comment insert since the work had already been added as a comment insert since the work had already been done on the initial Monitoring Plans.done on the initial Monitoring Plans.

Monitoring Plan/Optimization Form Overview Monitoring Plan/Optimization Form Overview 33rdrd Set of Columns Set of Columns –– Specific Risk Specific Risk (cont.)(cont.)

In the control row, place an In the control row, place an ““XX”” in each risks column in each risks column that applies to the control. Each time the control is that applies to the control. Each time the control is monitored, you gain information on each risk the monitored, you gain information on each risk the control works on.control works on.

Concentrate monitoring those controls that work on the Concentrate monitoring those controls that work on the highest number of risk. This gives you the most assurance highest number of risk. This gives you the most assurance with the least work.with the least work.

Monitor the remaining risks on a less frequent and random Monitor the remaining risks on a less frequent and random basis; otherwise the staff will begin to ignore the controls. basis; otherwise the staff will begin to ignore the controls. The employees must know there is the possibility that every The employees must know there is the possibility that every control will be monitored. control will be monitored.

Monitoring Plan/Optimization Form Overview Monitoring Plan/Optimization Form Overview 33rdrd Set of Columns Set of Columns –– Specific Risk Specific Risk (cont.)(cont.)

The The ““Perception of DetectionPerception of Detection””

Keeps employees focused on the Keeps employees focused on the controls and helps to prevent fraudcontrols and helps to prevent fraud

Monitoring Plan/Optimization Form Overview Monitoring Plan/Optimization Form Overview 44thth Column Column –– Evidence of ControlEvidence of Control

Level 1 Level 1 –– Operating ControlOperating Control -- The goal is to demonstrate the The goal is to demonstrate the control has been performed, i.e., the training curriculum control has been performed, i.e., the training curriculum and signed roster of attendees of a training class.and signed roster of attendees of a training class.

Level 2 and Level 3 Level 2 and Level 3 –– Supervisory ControlSupervisory Control -- The goal is to have The goal is to have a a documented traildocumented trail left by the supervisor that can be verified left by the supervisor that can be verified by an oversight reviewer representing line management, the by an oversight reviewer representing line management, the compliance function, internal audit or a peer review teamcompliance function, internal audit or a peer review team..

The Monitoring Plan focuses on both mitigating the risk The Monitoring Plan focuses on both mitigating the risk and and documenting the controlsdocumenting the controls..

Monitoring Plan/Optimization Form Overview Monitoring Plan/Optimization Form Overview 44thth Column Column –– Evidence of ControlEvidence of Control

Description of the document that shows evidence Description of the document that shows evidence of the application of the operating controlof the application of the operating control, , supervisory control,supervisory control, or oversight review controlor oversight review control

There should be some Evidence of Control for There should be some Evidence of Control for each control listed each control listed

Monitoring Plan/Optimization Form Overview Monitoring Plan/Optimization Form Overview 44thth Column Column –– Evidence of Control Evidence of Control (cont.)(cont.)

Documentary evidence includes, but is not limited Documentary evidence includes, but is not limited to the following:to the following:

Initials and date on existing documents or reports,Initials and date on existing documents or reports,

Notations written on a reconciliation, orNotations written on a reconciliation, or

Exception reports indicating handling and clearing Exception reports indicating handling and clearing problems.problems.

This section requires buyThis section requires buy--in from Human Resources. in from Human Resources. UHD Employee Services and Operations provided the UHD Employee Services and Operations provided the first pass draft for this section.first pass draft for this section.

Concerns regarding potential negative impact on litigated Concerns regarding potential negative impact on litigated mattersmatters

All rows were completed with either a predefined All rows were completed with either a predefined consequence or the reason a predefined consequence or the reason a predefined consequence did not applyconsequence did not apply

Monitoring Plan/Optimization Form OverviewMonitoring Plan/Optimization Form Overview55thth Column Column –– Predetermined ConsequencesPredetermined Consequences

Monitoring Plan/Optimization Form OverviewMonitoring Plan/Optimization Form Overview66thth Column Column –– Monitoring FrequencyMonitoring Frequency

This column was added in response to concerns among the This column was added in response to concerns among the Institutional Compliance Committee members regarding the Institutional Compliance Committee members regarding the monitoring of controls that occur infrequently.monitoring of controls that occur infrequently.

Monitoring frequency options include but are not limited to:Monitoring frequency options include but are not limited to:

Once Every Two Years Once Every Two Years ♦♦ Annually Annually Twice a Year Twice a Year ♦♦ Quarterly Quarterly ♦♦ MonthlyMonthly

As Needed As Needed ♦♦ Each Occurrence Each Occurrence Ongoing Ongoing ♦♦ Ongoing/(Statistics Reported Monthly)Ongoing/(Statistics Reported Monthly)

Monitoring Plan/Optimization Form Overview Monitoring Plan/Optimization Form Overview 77thth Set of Columns Set of Columns ––

Ongoing Monitoring UpdatesOngoing Monitoring Updates

Series of three columns used to record each Series of three columns used to record each time someone monitors or checks to see if a time someone monitors or checks to see if a control is working.control is working.

Column 1: DateColumn 1: Date -- Date the control is monitored, Date the control is monitored,

Column 2: ReviewerColumn 2: Reviewer -- Name of individual Name of individual monitoring the control, andmonitoring the control, and

Monitoring Plan/Optimization Form OverviewMonitoring Plan/Optimization Form Overview77thth Set of Columns Set of Columns ––

Ongoing Monitoring UpdatesOngoing Monitoring Updates (cont.)(cont.)

Column 3: StatusColumn 3: Status –– Results/findings of monitored Results/findings of monitored controls. This column can indicate:controls. This column can indicate:

The condition of the monitored item, i.e., The condition of the monitored item, i.e., Acceptable, Needs Improvement, or UnacceptableAcceptable, Needs Improvement, or Unacceptable

A reference to a working paper where the A reference to a working paper where the monitoring details are recorded or the comment monitoring details are recorded or the comment feature of Excel can be used to record the feature of Excel can be used to record the information in the spread sheet information in the spread sheet

Monitoring Plan/Optimization Form Overview Monitoring Plan/Optimization Form Overview 77thth Set of Columns Set of Columns ––

Ongoing Monitoring UpdatesOngoing Monitoring Updates (cont.)(cont.)

Use a new set of three columns for each time Use a new set of three columns for each time controls are monitored. Copy the set of controls are monitored. Copy the set of columns and continue to add them to the right columns and continue to add them to the right of the spreadsheet.of the spreadsheet.

Monitoring Plan/Optimization Form Monitoring Plan/Optimization Form The VisionThe Vision

Read only access:Read only access:Executive ManagementExecutive ManagementCompliance Committee MembersCompliance Committee MembersUH System Compliance OfficersUH System Compliance Officers

Monitor/Revise access:Monitor/Revise access:Responsible PartyResponsible PartySubject Matter ExpertSubject Matter ExpertUHD Compliance OfficerUHD Compliance Officer





QuestionsQuestions

Lessons LearnedLessons LearnedWork through the Monitoring Plan in small bite Work through the Monitoring Plan in small bite size piecessize pieces

Become the expert on the form (You will need to Become the expert on the form (You will need to both teach and coach) both teach and coach)

Populate the initial draft of the form yourself Populate the initial draft of the form yourself using the Risk Assessment Matrix and any using the Risk Assessment Matrix and any existing Monitoring Plansexisting Monitoring Plans

Fill as much of the missing boxes as possible with Fill as much of the missing boxes as possible with a a ““reasonablereasonable”” option (Focus on documenting option (Focus on documenting the current process as opposed to developing the current process as opposed to developing something new)something new)

Lessons Learned Lessons Learned (cont.)(cont.)

Teach the Committee how to populate the form Teach the Committee how to populate the form and work with the individuals to complete the formand work with the individuals to complete the form

Set deadlinesSet deadlines

Become an expert at Become an expert at ““Gentle RemindersGentle Reminders”” and and never let a Subject Matter Expert know he/she is never let a Subject Matter Expert know he/she is not the only one that missed the deadline!not the only one that missed the deadline!

Your really do have to be the Preacher, Salesman, Your really do have to be the Preacher, Salesman, Coach and Cop! Coach and Cop!

(Sometimes all at once!)(Sometimes all at once!)





QuestionsQuestions

Creating a Culture of ComplianceCreating a Culture of Compliance

Compliance is an art developed throughCompliance is an art developed throughtraining and habituationtraining and habituation..

We do not act rightly We do not act rightly because we have virtue and ethics, because we have virtue and ethics,

but rather ,but rather ,we have virtue and ethics we have virtue and ethics

because we have acted rightly. because we have acted rightly. We are what we repeatedly do. We are what we repeatedly do.

Compliance, then, is not an act, but a habit.Compliance, then, is not an act, but a habit.

(Adaptation of(Adaptation of AristotleAristotle’’s quote on s quote on ““ExcellenceExcellence””))

auditing and monitoring - cook

Documents