compliance program assessments in higher education…€¦ · 1 compliance program assessments in...
TRANSCRIPT
1
Compliance Program Assessments in Higher Education:
How They Add Value
Steve Tremaglio, Manager of Compliance
June 3, 2013
Northwestern Facts
• 3 Campuses
– Evanston, Illinois
– Chicago, Illinois
– Doha, Qatar
• 12 Colleges and School
• Faculty
– 2,500 full time
• Staff
– 5,444 full time
• Students
– 16,000 full‐time The Evanston campus
2
Session Objectives
• Compliance Program Framework: Components
• Northwestern University’s approach for assessing compliance program effectiveness
• Analyzing the assessment results
– Common areas for improvement
– How to design recommendations that add value
Regulatory Compliance: What’s the big deal?
Noncompliance can be costly to higher education institutions:
• $15 million; inflated research grant costs
• $12 million; over‐billing charges of unallowable items
• $12 million; underpayment of royalties
• $5.6 million; medical over‐billing
• $5.5 million; effort reporting issues
• $4 million of federal grant money returned; inappropriately spending research funds and failing to properly record purchases.
• $1.2 million; inflated research overhead costs
• $650,000; research fraud and abuse
• $205, 000 to cover mismanagement for misspending a gift
3
Compliance Framework
• Identify essential components and controls of an effective compliance program utilizing a Compliance Framework:– Federal Sentencing Guidelines
– Committee on Sponsoring Organizations
Publisher : The IIA Research Foundation (IIARF) Publish Date : 2001 Authors : David B. Crawford, CIA, CCSA, CPA
Book available through:• IIARF• Amazon
Federal Sentencing Guidelines
• Rules that set out a uniform sentencing policy for convicted defendants (including organizations) in the federal court system.
• Two factors that mitigate the ultimate punishment of an organization are:
– Existence of an effective compliance and ethics program
– Self‐reporting, cooperation, or acceptance of responsibility
4
Federal Sentencing Guidelines*
Effective Compliance and Ethics Program Requirements:
• “Exercise due diligence to prevent and detect criminal conduct”.
• “Promote organizational culture that encourages ethical conduct and commitment to compliance with the law.”
• “Periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement to reduce the risk of criminal conduct identified through this process.”
*Federal Sentencing Guidelines
U.S.S.G. §§ 8B2.1, 8C2.5(f), & 8D1.4(c)(1) (11/1/12)
Federal Sentencing Guidelines*
7 Elements of an Effective Compliance Program:
– Written Standards and Procedures
– Effective Oversight
– Training
– Monitoring and Auditing
– Discipline
– Corrective Action
*Federal Sentencing Guidelines
U.S.S.G. §§ 8B2.1, 8C2.5(f), & 8D1.4(c)(1) (11/1/12)
5
The Committee of Sponsoring Organizations of the Treadway
Commission (COSO)
• Formed in 1985 to study casual factors that lead to fraudulent financial reporting.
• Developed recommendations for various industries and regulators, including educational institutions.
COSO
• Model for evaluating internal controls
– Control Environment
– Risk Assessment
– Control Activities
– Information and Communication
– Monitoring
• Updated May 14, 2013
COSO Cube (2013 Edition)
6
Principles of Effective Internal Controls
Slide Source: COSO IC‐IF Outreach Deck_12 29 11 (http://www.ic.coso.org/pages/about‐the‐project.aspx)
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
1. Demonstrates commitment to integrity and ethical values2. Exercises oversight responsibility3. Establishes structure, authority and responsibility4. Demonstrates commitment to competence5. Enforces accountability
6. Specifies suitable objectives7. Identifies and analyzes risk8. Assesses fraud risk9. Identifies and analyzes significant change
10. Selects and develops control activities11. Selects and develops general controls over technology12. Deploys through policies and procedures
13. Uses relevant information14. Communicates internally15. Communicates externally
16. Conducts ongoing and/or separate evaluations17. Evaluates and communicates deficiencies
Principles of Effective Internal Controls (cont.)
Slide Source: COSO IC‐IF Outreach Deck_12 29 11 (http://www.ic.coso.org/pages/about‐the‐project.aspx)
7
Principles of Effective Internal Controls (cont.)
Slide Source: COSO IC‐IF Outreach Deck_12 29 11 (http://www.ic.coso.org/pages/about‐the‐project.aspx)
Principles of Effective Internal Controls (cont.)
Slide Source: COSO IC‐IF Outreach Deck_12 29 11 (http://www.ic.coso.org/pages/about‐the‐project.aspx)
8
Principles of Effective Internal Controls (cont.)
Slide Source: COSO IC‐IF Outreach Deck_12 29 11 (http://www.ic.coso.org/pages/about‐the‐project.aspx)
Principles of Effective Internal Controls (cont.)
Slide Source: COSO IC‐IF Outreach Deck_12 29 11 (http://www.ic.coso.org/pages/about‐the‐project.aspx)
9
Compliance Assessment Framework
Federal Sentencing Guidelines
COSOCompliance Assessment Framework
What is a Compliance Program Assessment?
• Understand the significant regulatory risks managed on behalf of the University.
• Assess the effectiveness of unit compliance programs
• Identify any “gaps” in compliance program.
• Establish observations and mitigation strategies.
• Increase awareness of “best practices” in mitigating compliance risk.
10
Compliance Program AssessmentMethodology
• Limited to interviews with members who have responsibility for managing and carrying out compliance activity related to the regulatory areas selected.
• Not designed to test compliance with regulations, rather, to assess the compliance program in comparison with the established Framework.
Assessment Cycle Approach
Planning
Fieldwork
Reporting
Follow‐up
11
Planning
Planning Memo Planning Meeting Kick-off MeetingBackground and Research
Planning: Background and Research
1. Develop understanding of unit/process
2. Initial review of federal, state, and local regulations to identify areas managed by unit:• University’s Regulatory Matrix
• Enterprise Risk Management (ERM) Reports
12
ERM Risk Classification
Academic Risks
Compliance Risks
Financial Risks
Operational Risks
Reputational Risks
Research Risks
Strategic Risks
ERM Categorizes All Types of Risk
Planning: Research (cont.)
13
Planning: Research (cont.)
Additional Resources:
Catholic University of America:
Campus Legal Information Clearinghouse: http://counsel.cua.edu/
Cornell University Law School:
U.S. Code: http://www.law.cornell.edu/uscode/
Code of Federal Regulations: http://www.law.cornell.edu/cfr/
Government Sites:
U.S. Government Printing Office: http://www.gpo.gov/fdsys/
Illinois General Assembly: http://www.ilga.gov/legislation/ilcs/
Higher Education Compliance Alliance: http://www.higheredcompliance.org/
Northwestern University: http://policies.northwestern.edu/
University Policies
http://policies.northwestern.edu/
14
Planning: Planning Memo
1. Background
• Project title
• Work location(s)
2. Risk Overview
• Rationale for the assessment (key risks)
3. Regulatory Environment Analysis
• Summary of regulatory requirements
4. Assessment Approach
• Objectives, scope for the area under review.
5. Resources
• Team members and roles
• Stakeholders/Key personnel
6. Target Dates
• Timeline of key events (opening meeting, closing meeting, report issuance, etc.)
Planning: Kick‐off Meeting
Discuss process and expectations of the assessment.
Introductions
Factors considered in selecting area for assessment
Objectives and scope and outline of process
Protocol for communicating assessment results
Review list of regulatory areas and key risk areas managed by the unit
Follow‐up with email notification
15
Fieldwork
Phases:
• Interview– One on one client interviews
– Draft interview notes
• Examination– Documentation Review
– Inspecting documents and reports for specific attributes
– Evaluation of unit’s process
– Work paper review
• Formulating/Confirming Observations
• Wrap‐up
Fieldwork: Interview
One on one client interviews:
16
Writing a Observation – 5 Elements
Condition
What is?
Criteria
What should be?
Cause:
Why did condition occur?
Effect:
Risk, what could go wrong?
Recommendation:
Action needed to correct the cause.
Writing a Observation ‐ Example
Sentence below contains all essential elements of a well written observation:
“Responsibility for compliance throughout [Unit] is shared by two operating groups which manage [operating activities] in their own areas and report to different members of [Unit] leadership. These operating areas sometimes overlap which may cause confusion over which unit is responsible for compliance. Policies and procedures are not coordinated or consistently applied between operating groups, nor is a self‐assessment performed that collectively identifies where weaknesses are noted or improvements could be made. Assigning one member of unit leadership to oversee [operating activities] throughout the [Unit] would ensure accountability and enhance the overall effectiveness of [Unit’s] compliance program.”
17
Writing a Observation (cont.)
Here’s the sentence broken down into elements:
Condition: “Policies and procedures are not coordinated or consistently applied between operating groups, nor is a self‐assessment performed that collectively identifies where weaknesses are noted or improvements could be made.”
Criteria: Assigning high level personnel to oversee the compliance program.
Cause: “Responsibility for compliance throughout [Unit] is shared by two operating groups which manage [operating activity] in their own areas and report to different members of [Unit] leadership.”
Effect: “These operating areas sometimes overlap which may cause confusion over which unit is responsible for compliance.”
Recommendation: “Assigning one member of [Unit] leadership to oversee [operational activity] throughout the [Unit] would ensure accountability and enhance the overall effectiveness of Unit’s compliance program.”
Fieldwork: Wrap‐up Meeting
• No surprises!
• Discuss draft report/formal list of observations
• Bring evidence/support for results
• Focus should also include positive results and/or improvements
• Clearly explain next steps and Avoid delays in issuing the final report!
• Thank the participants
• Solicit feedback
18
Fieldwork Best Practices
• Communication!
Client
Compliance Services Management
• Escalate issues and any changes
• Keep evidence of Observations!
Assessment Results
19
Assessment Results
36% ‐ Insufficient Monitoring
Deficiencies resolved by:
• Developing additional processes and new roles and responsibilities to ensure the monitoring is taking place.
• Creating and maintaining records to track their progress.
• Filing reports with the local, state, and federal government on a timely basis.
Importance:
• To prevent or detect non‐compliance
Assessment Results
21% ‐ Policies and Procedures Incomplete or Inadequate
Deficiencies resolved by:
• Documenting policies and procedures aligned with the regulatory requirements.
Importance:
• Staff understands what management expects of them.
• Continue to meet the regulatory requirements even though key personnel may leave the University.
20
Assessment Results
17% ‐ Self‐assessment not performed.
Deficiencies resolved by:
• Evaluating their compliance program annually or every two years and evaluating the current status of the program.
• Identifying and remedying any gaps in the program
• Reporting the assessment results to the unit lead
Importance:• Provides personnel with the information needed to evaluate
and improve the overall effectiveness of the compliance program.
Assessment Results
13% ‐ Inadequate supervisory review and/or segregation of duties
Deficiencies resolved by:
• Reorganizing responsibilities, and
• Requiring supervisory review to be performed before filing with the federal, state, and local agencies.
Importance:
• To limit errors and omissions.
21
Report Writing
Executive Summary
• Start draft process before fieldwork (template, scope, distribution list)
• Include: Purpose, Scope, Description of statute/regulation reviewed, and Summary of Results/Ratings
Observations
Management Mitigation Strategies
Assessment Results Compliance Framework CategoriesStatute/Regulation
Control Environment
Risk Assessment Control Activities Information and Communication Monitoring
Legend: = Adequate with the University’s framework for managing compliance = Gap = Significant Deficiency
Follow‐up
• Active and robust follow‐up is essential
• Follow‐up procedures
• Documentation standards
• Follow‐up report
22
Q+A SessionLet’s discuss!
Steven A. Tremaglio, CIA, CFE, MBAPhone: (847) 491‐4951, Fax: (847) 467‐1412E‐mail: s‐[email protected]