1

Compliance Program Assessments in Higher Education:  

How They Add Value

Steve Tremaglio, Manager of Compliance

June 3, 2013

Northwestern Facts

• 3 Campuses

– Evanston, Illinois

– Chicago, Illinois

– Doha, Qatar

• 12 Colleges and School

• Faculty

– 2,500 full time

• Staff

– 5,444 full time

• Students

– 16,000 full‐time  The Evanston campus

2

Session Objectives

• Compliance Program Framework:  Components

• Northwestern University’s approach for assessing compliance program effectiveness 

• Analyzing the assessment results

– Common areas for improvement

– How to design recommendations that add value

Regulatory Compliance:  What’s the big deal?

Noncompliance can be costly to higher education institutions:

• $15 million; inflated research grant costs

• $12 million; over‐billing charges of unallowable items

• $12 million; underpayment of royalties

• $5.6 million; medical over‐billing

• $5.5 million; effort reporting issues

• $4 million of federal grant money returned; inappropriately spending research funds and failing to properly record purchases.

• $1.2 million; inflated research overhead costs

• $650,000; research fraud and abuse

• $205, 000 to cover mismanagement for misspending a gift

3

Compliance Framework

• Identify essential components and controls of an effective compliance program utilizing a Compliance Framework:– Federal Sentencing Guidelines

– Committee on Sponsoring Organizations

Publisher : The IIA Research Foundation (IIARF) Publish Date : 2001 Authors : David B. Crawford, CIA, CCSA, CPA

Book available through:• IIARF• Amazon

Federal Sentencing Guidelines

• Rules that set out a uniform sentencing policy for convicted defendants (including organizations) in the federal court system.

• Two factors that mitigate the ultimate punishment of an organization are: 

– Existence of an effective compliance and ethics program

– Self‐reporting, cooperation, or acceptance of responsibility

4

Federal Sentencing Guidelines*

Effective Compliance and Ethics Program Requirements:

• “Exercise due diligence to prevent and detect criminal conduct”.

• “Promote organizational culture that encourages ethical conduct and commitment to compliance with the law.”

• “Periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement to reduce the risk of criminal conduct identified through this process.”

*Federal Sentencing Guidelines

U.S.S.G. §§ 8B2.1, 8C2.5(f), & 8D1.4(c)(1)  (11/1/12)

Federal Sentencing Guidelines*

7 Elements of an Effective Compliance Program:

– Written Standards and Procedures

– Effective Oversight

– Training

– Monitoring and Auditing

– Discipline

– Corrective Action

*Federal Sentencing Guidelines

U.S.S.G. §§ 8B2.1, 8C2.5(f), & 8D1.4(c)(1)  (11/1/12)

5

The Committee of Sponsoring Organizations of the Treadway 

Commission (COSO)

• Formed in 1985 to study casual factors that lead to fraudulent financial reporting.

• Developed recommendations for various industries and regulators, including educational institutions.

COSO

• Model for evaluating internal controls

– Control Environment

– Risk Assessment

– Control Activities

– Information and Communication

– Monitoring

• Updated May 14, 2013

COSO Cube (2013 Edition)

6

Principles of Effective Internal Controls

Slide Source: COSO IC‐IF Outreach Deck_12 29 11 (http://www.ic.coso.org/pages/about‐the‐project.aspx)

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

1. Demonstrates commitment to integrity and ethical values2. Exercises oversight responsibility3. Establishes structure, authority and responsibility4. Demonstrates commitment to competence5. Enforces accountability

6. Specifies suitable objectives7. Identifies and analyzes risk8. Assesses fraud risk9. Identifies and analyzes significant change

10. Selects and develops control activities11. Selects and develops general controls over technology12. Deploys through policies and procedures

13. Uses relevant information14. Communicates internally15. Communicates externally

16. Conducts ongoing and/or separate evaluations17. Evaluates and communicates deficiencies

Principles of Effective Internal Controls (cont.)

Slide Source: COSO IC‐IF Outreach Deck_12 29 11 (http://www.ic.coso.org/pages/about‐the‐project.aspx)

7

Principles of Effective Internal Controls (cont.)

Slide Source: COSO IC‐IF Outreach Deck_12 29 11 (http://www.ic.coso.org/pages/about‐the‐project.aspx)

Principles of Effective Internal Controls (cont.)

Slide Source: COSO IC‐IF Outreach Deck_12 29 11 (http://www.ic.coso.org/pages/about‐the‐project.aspx)

8

Principles of Effective Internal Controls (cont.)

Slide Source: COSO IC‐IF Outreach Deck_12 29 11 (http://www.ic.coso.org/pages/about‐the‐project.aspx)

Principles of Effective Internal Controls (cont.)

Slide Source: COSO IC‐IF Outreach Deck_12 29 11 (http://www.ic.coso.org/pages/about‐the‐project.aspx)

9

Compliance Assessment Framework

Federal Sentencing Guidelines

COSOCompliance Assessment Framework

What is a Compliance Program Assessment?

• Understand the significant regulatory risks managed on behalf of the University.

• Assess the effectiveness of unit compliance programs

• Identify any “gaps” in compliance program.

• Establish observations and mitigation strategies.

• Increase awareness of “best practices” in mitigating compliance risk.

10

Compliance Program AssessmentMethodology

• Limited to interviews with members who have responsibility for managing and carrying out compliance activity related to the regulatory areas selected.

• Not designed to test compliance with regulations, rather, to assess the compliance program in comparison with the established Framework.

Assessment Cycle Approach

Planning

Fieldwork

Reporting

Follow‐up

11

Planning

Planning Memo Planning Meeting Kick-off MeetingBackground and Research

Planning:  Background and Research

1. Develop understanding of unit/process 

2. Initial review of federal, state, and local regulations to identify areas managed by unit:• University’s Regulatory Matrix

• Enterprise Risk Management (ERM) Reports

12

ERM Risk Classification

Academic Risks

Compliance Risks

Financial Risks

Operational Risks

Reputational Risks

Research Risks

Strategic Risks

ERM Categorizes All Types of Risk

Planning:  Research (cont.)

13

Planning:  Research (cont.)

Additional Resources:

Catholic University of America:

Campus Legal Information Clearinghouse:  http://counsel.cua.edu/

Cornell University Law School:

U.S. Code:  http://www.law.cornell.edu/uscode/

Code of Federal Regulations:  http://www.law.cornell.edu/cfr/

Government Sites:

U.S. Government Printing Office:  http://www.gpo.gov/fdsys/

Illinois General Assembly:  http://www.ilga.gov/legislation/ilcs/

Higher Education Compliance Alliance:  http://www.higheredcompliance.org/

Northwestern University:  http://policies.northwestern.edu/

University Policies

http://policies.northwestern.edu/

14

Planning:  Planning Memo

1. Background

• Project title

• Work location(s)

2. Risk Overview

• Rationale for the assessment (key risks)

3. Regulatory Environment Analysis

• Summary of regulatory requirements

4. Assessment Approach

• Objectives, scope for the area under review.

5. Resources

• Team members and roles

• Stakeholders/Key personnel

6. Target Dates

• Timeline of key events (opening meeting, closing meeting, report issuance, etc.)

Planning:  Kick‐off Meeting

Discuss process and expectations of the assessment.

Introductions

Factors considered in selecting area for assessment

Objectives and scope and outline of process

Protocol for communicating assessment results

Review list of regulatory areas and key risk areas managed by the unit

Follow‐up with email notification

15

Fieldwork

Phases:

• Interview– One on one client interviews

– Draft interview notes

• Examination– Documentation Review

– Inspecting documents and reports for specific attributes

– Evaluation of unit’s process

– Work paper review

• Formulating/Confirming Observations

• Wrap‐up

Fieldwork:  Interview

One on one client interviews:

16

Writing a Observation – 5 Elements

Condition

What is?

Criteria

What should be?

Cause:

Why did condition occur?

Effect:

Risk, what could go wrong?

Recommendation:

Action needed to correct the cause.

Writing a Observation ‐ Example

Sentence below contains all essential elements of a well written observation: 

“Responsibility for compliance  throughout [Unit] is shared by two operating groups which manage [operating activities] in their own areas and report to different members of [Unit] leadership.  These operating areas sometimes overlap which may cause confusion over which unit is responsible for compliance.  Policies and procedures are not coordinated or consistently applied between operating groups, nor is a self‐assessment performed that collectively identifies where weaknesses are noted or improvements could be made.  Assigning one member of unit leadership to oversee [operating activities] throughout the [Unit] would ensure accountability and enhance the overall effectiveness of [Unit’s] compliance program.”

17

Writing a Observation (cont.)

Here’s the sentence broken down into elements:  

Condition:  “Policies and procedures are not coordinated or consistently applied between operating groups, nor is a self‐assessment performed that collectively identifies where weaknesses are noted or improvements could be made.”

Criteria: Assigning high level personnel to oversee the compliance program.

Cause: “Responsibility for compliance  throughout [Unit] is shared by two operating groups which manage [operating activity] in their own areas and report to different members of [Unit] leadership.”

Effect: “These operating areas sometimes overlap which may cause confusion over which unit is responsible for compliance.”

Recommendation: “Assigning one member of [Unit] leadership to oversee [operational activity] throughout the [Unit] would ensure accountability and enhance the overall effectiveness of Unit’s compliance program.”

Fieldwork:  Wrap‐up Meeting

• No surprises!

• Discuss draft report/formal list of observations

• Bring evidence/support for results

• Focus should also include positive results and/or improvements

• Clearly explain next steps and Avoid delays in issuing the final report!

• Thank the participants

• Solicit feedback

18

Fieldwork Best Practices

• Communication!

Client

Compliance Services Management

• Escalate issues and any changes

• Keep evidence of Observations!

Assessment Results

19

Assessment Results

36% ‐ Insufficient Monitoring

Deficiencies resolved by:

• Developing additional processes and new roles and responsibilities to ensure the monitoring is taking place.

• Creating and maintaining records to track their progress.  

• Filing reports with the local, state, and federal government on a timely basis.

Importance:

• To prevent or detect non‐compliance

Assessment Results

21% ‐ Policies and Procedures Incomplete or Inadequate

Deficiencies resolved by: 

• Documenting policies and procedures aligned with the regulatory requirements.

Importance:

• Staff understands what management expects of them.

• Continue to meet the regulatory requirements even though key personnel may leave the University.  

20

Assessment Results

17% ‐ Self‐assessment not performed.

Deficiencies resolved by: 

• Evaluating their compliance program annually or every two years and evaluating the current status of the program.

• Identifying and remedying any gaps in the program

• Reporting the assessment results to the unit lead

Importance:• Provides personnel with the information needed to evaluate 

and improve the overall effectiveness of the compliance program.

Assessment Results

13% ‐ Inadequate supervisory review and/or segregation of duties

Deficiencies resolved by: 

• Reorganizing responsibilities, and 

• Requiring supervisory review to be performed before filing with the federal, state, and local agencies.  

Importance:

• To limit errors and omissions. 

21

Report Writing

Executive Summary

• Start draft process before fieldwork (template, scope, distribution list) 

• Include:  Purpose, Scope, Description of statute/regulation reviewed, and Summary of Results/Ratings

Observations

Management Mitigation Strategies

Assessment Results Compliance Framework CategoriesStatute/Regulation

Control Environment 

Risk Assessment Control Activities Information and Communication Monitoring

Legend: = Adequate with the University’s framework for managing compliance    = Gap   = Significant Deficiency

Follow‐up

• Active and robust follow‐up is essential

• Follow‐up procedures

• Documentation standards

• Follow‐up report

22

Q+A SessionLet’s discuss!

Steven A. Tremaglio, CIA, CFE, MBAPhone: (847) 491‐4951, Fax: (847) 467‐1412E‐mail: s‐tremaglio@northwestern.edu