2006 ACUA Midyear Seminar - PowerPoint PPT Presentation

Loading...

PPT – 2006 ACUA Midyear Seminar PowerPoint presentation | free to download - id: 3c7059-ODExN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

2006 ACUA Midyear Seminar

Description:

2006 ACUA Midyear Seminar Compliance Track Presented by: April 10-12, 2006 Charles Chaffin Jane Youngers Pete Carlon David Givens Amy Barrett Kimberly Hagara – PowerPoint PPT presentation

Number of Views:25
Avg rating:3.0/5.0
Slides: 63
Provided by: utsystemE
Learn more at: http://www.utsystem.edu
Category:
Tags: acua | midyear | seminar

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: 2006 ACUA Midyear Seminar


1
2006 ACUA Midyear Seminar Compliance
Track Presented by April 10-12, 2006
Charles Chaffin Jane Youngers Pete Carlon David
Givens Amy Barrett Kimberly Hagara Michael
Charlton Paige Buechley Lisa Blazer Paul
Pousson Dick Dawson
2
Compliance Track Agenda
  • Day 1
  • Compliance fundamentals
  • High compliance risk areas
  • Environmental Health and Safety
  • Day 2
  • Research
  • NCAA
  • Day 3
  • Student Financial Aid
  • Other high compliance risk areas
  • Wrap-up and Enterprise Risk Management

3
The Fundamentals of Compliance in Higher
Education Presented by Charles G. Chaffin, CPA,
CIA Director of Audits and System-wide Compliance
Officer The University of Texas System April 10,
2006
4
Outline
  • What is Compliance?
  • Compliance Fundamentals
  • Audits Value in Compliance
  • High Risk Areas

5
Who we are
  • 90,000 employees
  • 183,000 students (3K to 50K per campus)
  • 31.9 billion total assets
  • 19.3 billion portfolio under management
  • 9.6 billion annual operating budget
  • 5 billion dollar construction program
  • gt1.5 billion dollars in annual research funds
  • 2.1 million acres in West Texas, nearly 10,000
    producing wells
  • Major Research Programs, NCAA Programs
  • 6 Physician Practice Plans, 4 Hospitals

6
UT System Institutions
  • U.T. Arlington
  • U.T. Austin
  • U.T. Brownsville
  • U.T. Dallas
  • U.T. El Paso
  • U.T. Pan American
  • U.T. Permian Basin
  • U.T. San Antonio
  • U.T. Tyler
  • U.T. Southwestern Medical Center at Dallas
  • U.T. Medical Branch at Galveston
  • U.T. Health Science Center at Houston
  • U.T. Health Science Center at San Antonio
  • U.T. M.D. Anderson Cancer Center
  • U.T. Health Center at Tyler

7
What is Compliance?
8
What is Compliance?
  • Compliance is focused on ensuring that an
    entity operates within the boundaries of all
    applicable laws, rules, policies and regulations
    governing higher education institutions (internal
    and external)
  • Compliance is critical to avoid monetary
    loss/penalties, loss of funding, damage to
    reputation, and demands on executive time
  • An effective compliance program should result
    in fewer surprises through early detection of
    non-compliance and fraud

9
What is Non-compliance?
  • The University of Connecticut will pay 2.5
    million to settle allegations it filed false
    grant applications and overbilled the government
    for research Jan 06
  • The University of South Florida has fired
    three employees after it found 275,000 in
    misplaced checks and cash in their office Jan
    06
  • The U.S. attorney delivered an ultimatum to the
    troubled University of Medicine and Dentistry of
    New Jersey telling its governing board to accept
    a federal takeover of the school's financial
    operations or face criminal prosecution that
    could shut it down Dec 05
  • double billing Medicare and Medicaid by at
    least 4.9 million
  • The University of Medicine and Dentistry of New
    Jersey improperly awarded more than 16 million
    in contracts last year without competitive
    bidding
  • American University excessive compensation,
    travel and personal expenses
  • ITT Educational Services Inc. agreed to pay
    725,000 to settle a lawsuit in which employees
    charged that the higher education company had
    inflated students grade point averages so they
    qualified for more financial aid from the State
    of California.

10
UT System Non-compliance
  • UTPA Forgery - 250,000 1991
  • UT Austin Fictitious Vouchers - 800,000 1994
  • Several Institutions IRS issues - 1 Million
    1992-1994
  • UT Austin Illegal Drugs in Chemistry Department
    1994
  • Medical School Medicare Billing - 17 Million
    1997
  • UTMB Galveston Human Subjects closed research
    - 2000

11
Compliance Fundamentals
12
Compliance vs. Audit Programs
  • Compliance works with the business units to
    maximize compliance with applicable laws, rules,
    regulations, policies and procedures
  • Compliance functions are generally embedded in
    the business function and are part of the control
    structure
  • On-going, daily assurance
  • Audit is an independent, objective assurance
    and consulting activity designed to add value by
    evaluating the control structure
  • Periodic and after the fact assurance

13
Elements of a Successful Compliance Program
  • For an organization to have an effective
    compliance program, the following elements are
    required
  • 1. Existence of written standards
  • 2. Effective oversight
  • 3. Due care in delegation of authority
  • 4. Training
  • 5a. Monitoring and auditing to detect
    non-compliance
  • 5b. Provide and publicize a system to report
    non-compliance
  • 6. Standards consistently enforced through
    appropriate discipline
  • 7. Corrective action once offense has occurred to
    prevent future similar instances
  • Note From the United States Federal Sentencing
    Guidelines, 1991

14
Implementing an Effective Institutional
Compliance Program
  • Definition An Institutional Compliance Program
    is one that encompasses your entire university
  • Must have one within Athletics
  • And within the Safety Program
  • The Institutional Compliance Program joins it all
    together, creating a situation in which one
    individual is held accountable by the president

15
Implementation of an Effective Institutional
Compliance Program (contd)
  • Building the Infrastructure
  • Creating Compliance Awareness
  • Managing Critical Risks
  • Appraisal and Renewal

16
A. Building the Infrastructure
  • TIME and RESOURCES required
  • Driven by the size and overall complexity of your
    institution
  • Convincing your institution to fund and/or staff
    the program
  • Specific tasks
  • Appoint a COMPLIANCE OFFICER
  • Current executive or a new position, Full-time or
    part- time
  • Attorney, Auditor, Business Officer
  • Appoint a COMPLIANCE COMMITTEE
  • Executive Presidents Cabinet
  • Working Committee High Risk Area Department
    Heads (H.R. Director, Safety Officer, etc.)
  • Establish a COMPLIANCE FUNCTION/OFFICE
  • Full-time staff or slice of current staff time
  • Housed in the legal, audit, business affairs
    office, or it can stand alone

17
A. Building the Infrastructure - Compliance
Office Responsibilities
  • Compliance Office responsibilities
  • Make compliance a part of everyday activities of
    the institution
  • Monitor the various compliance program activities
  • Communicate with the chief executive officer and
    others regarding compliance program activities
  • Establish a compliance function

18
A. The Infrastructure
  • Compliance Officer
  • Compliance Committee
  • Compliance Function/Office
  • Institutional Community Imbued with Ethical
    Culture

19
B. Creating Compliance Awareness
  • Compliance Awareness An Institution Imbued with
    Ethical Culture
  • From the bottom up, include everyone
  • Develop a Standards of Conduct Guide (Code of
    Conduct)
  • Develop a General Compliance Training Program
  • Face to face
  • Web-based
  • Articles and emails
  • Establish a confidential reporting mechanism
    (Compliance Hotline)
  • Third Party Vendor
  • In-house Legal or Audit
  • Email

20
C. Managing Critical Risks
  • Risk ASSESSMENT Process
  • Identify risks to achieving the goals and
    objectives of the institution
  • Probability of Occurrence
  • Potential Impact Related to Occurrence
  • Identify the SHOW-STOPPERS

21
C. Managing Critical Risks -Risk Assessment
Matrix
BEST PRACTICES
Objective/Activity
Risk Exposure
Rank Before Controls
Rank After Controls
Potential Impact
Prob.Of Occur.
Mitigation Strategy
Operating Controls
Monitoring Controls
Oversight Controls
I/A Controls
HML
HML
HH HM HL MH MM
HML
Avoid Accept Transfer Control
22
C. Managing Critical Risks (contd)
  • Determine risks that are organization critical
  • Medicare Billing Rules (fines)
  • Research Time and Effort Reporting (fines)
  • Research Human Subjects (suspension)
  • Research Medical Billing (fines)
  • Lab Safety (injury)
  • Fire (injury and death)
  • Athletic Recruiting (loss of scholarships)
  • Athletic Boosters (loss of scholarships)
  • Sexual Harassment (very bad)
  • Endowment Spending (repay endowment)

23
C. Managing Critical Risks (contd)
  • Risk MANAGEMENT Process for A risks
  • Single High-Level Responsible Party
  • Dean or Provost, VP of Research or Business, HR
    Director
  • Knowledge and authority to manage risk
  • Specialized Training Plan
  • Risk Specific For whom, what knowledge,
    frequency, by whom
  • Monitoring Plan
  • How do you know if you are following the rules?
  • Reporting Plan
  • Report Cards to Compliance Officer and/or
    President, corrective action
  • What activity and items to be reported,
    frequency, for whom

24
C. Managing Critical Risks - Monitoring Plan
  • Monitoring plans
  • Every step in a monitoring plan should already
    exist in the policies and procedures that manage
    the risk
  • The monitoring plan serves as the criteria for
    all types of assurance services
  • The monitoring plan for high risks must include
    Level 1, Level 2, and Level 3 controls
  • The monitoring plan must indicate the
    documentation that is created by each level of
    control

25
Involvement In Process
ITEMSAFFECTED
Levels of Internal Control
None
Isolated Items

Little
Exceptions, status
Some
Level 4 I/A
Sample of Transactions
Totally
Level 3 - Oversight
Level 2 - Supervisory
Every Transaction
Level 1 - Execution
UT System Audit Office David B. Crawford 07/28/99
Real Time
Soon After
Annually
Periodically
TIME
26
Assurance Continuum Model for the 21st Century
Collaborative Assurance (Governance and
Management Control Processes)
Periodic Assurance
I----------I
I----------I
(Governance Control Processes)
I------------ On-going Assurance
------------I (Management Control Processes)
Level 4 Controls
Level 4 Controls
Level 3 Controls
Level 2 Controls
Level 1 Controls
Pre-operations design review of on-going assurance
During execution of event or transaction
Immediately after execution of event or
transaction
Soon after execution of event or transaction
Post-operations audit of execution of on-going
assurance
27
C. Managing Critical Risks - Monitoring Plan
  • Execution or Operating Controls (Level 1)
  • Policies and procedures, data integrity,
    segregation of duties
  • Embedded in day-to-day operations and performed
    by generators of events
  • Performed on every event/transaction in real time
  • Monitoring plan will include a definition of the
    documentary evidence created to support the
    application of the operating controls
  • Supervisory or Monitoring Controls (Level 2)
  • Supervisory review of operating controls to be
    performed
  • Performed by line management or staff positions
    not originating the event
  • Performed on sample of total events soon after
    the event/transaction
  • Monitoring plan will include a definition of the
    documentary evidence created to support the
    application of the supervisory controls

28
C. Managing Critical Risks - Assurance Activities
  • Oversight Controls (Level 3)
  • Exception reports, status reports, analytical
    reviews, variance analysis
  • Performed by representatives of executive
    management not part of day-to-day operations on
    information provided by supervisory management
  • Performed weeks to months after
    event/transaction originated
  • Examples include compliance inspection
  • Audit Controls (Level 4)
  • Performed by staff with no involvement in the
    operations
  • Performed weeks to months after
    event/transaction originated
  • Examples include Internal/External audits of
    high-risk area or compliance program, peer reviews

29
C. Managing Critical Risks Sample Monitoring
Plan
30
Operational ExamplesLevels of Control in the
COSO Model
31
Collaborative Assurance Model
32

Assurance Strategies Matrix
33
D. Appraisal and Renewal
  • Addressing instances of non-compliance
  • On-going assurance regarding the management of
    mission critical risks
  • Certifications
  • Inspections
  • Peer Reviews
  • Agreed-upon Procedures
  • Audits (design and/or information validation)
  • Periodic assessment of the Compliance Program
  • Self-assessment
  • External Peer Review
  • Renewal
  • (Action Plan based on periodic assessment)

34
Benefits of Effective Compliance Program
  • Reduction in NEGATIVE PUBLICITY
  • Reduction in FINES and EXTERNAL AUDITS
  • Reduction in WORKERS COMP. CLAIMS
  • Safety Program Awards
  • Change in Organizational Culture
  • Established Basis for Enterprise-wide Risk
    Management and Accountability Program

35
Sharing What We Learned
  • How-to-do-it book Effective Compliance Systems
    A Practical Guide for Educational Institutions
    available from The Institute of Internal
    Auditors, Inc
  • Hosted 4 National Conferences on Effective
    Compliance Systems/ERM in Higher Education
  • March 2000 October 2002 April 2004
    March 2006 in Austin, Texas
  • Hosted Sarbanes-Oxley Conference October 2003
  • Sharing Presentations at ACUA and IIA
    conferences, at individual institutions of higher
    education, and to commercial organizations
  • Sharing Major Research Institutions Compliance
    Group formed after 2nd Compliance Conference

36
Audits Value in Compliance
37
Compliance and Audit
  • Compliance works with the business units to
    maximize compliance with applicable laws, rules,
    regulations, policies and procedures
  • Compliance functions are generally embedded in
    the business function and are part of the control
    structure
  • On-going, daily assurance
  • Audit is an independent, objective assurance
    and consulting activity designed to add value by
    evaluating the control structure
  • Periodic and after the fact assurance

38
Internal Audit Plays a Key Role in Developing a
Compliance Program
  • Understands COSO
  • Experience in Risk Assessments
  • Know the Different Levels of Controls
  • Ability to Train
  • Audited Compliance Issues for Years

39
Compliance Audit Objectives
  • To provide assurance that an effectively designed
    compliance program for the high risk area has
    been implemented and is operating effectively
  • Are risk assessments taking place?
  • Are risk management plans in place for all high
    compliance risk areas?
  • Single high-level responsible party?
  • Specialized training provided to appropriate
    personnel, by appropriate content experts?
  • Monitoring plans in place and being executed for
    all high compliance risk areas?
  • Is the reporting structure operating? Corrective
    actions implemented?
  • Providing periodic assessment of the overall
    compliance program
  • To provide assurance that the institution is in
    compliance with policies, plans, procedures,
    laws, and regulations that could have a
    significant impact on operations and reports

40
When to audit
  • The Compliance Office is responsible for
    conducting inspections of all the high risk
    areas, except for the ones for which they are
    responsible

41
Inspections
Inspections
  • Inspection results
  • Ready for audit - Internal Audit schedules the
    audit
  • Not ready for audit - The Compliance Office works
    with the responsible person and informs Internal
    Audit when the area is ready
  • Internal Audit performs the inspections on areas
    where the responsible party is in the Compliance
    Office

42
Audit Procedures
  • Leverage prior audits and/or other institution
    audit procedures within your system
  • Gain an understanding of the high risk area
  • Test the high risk area
  • Monitoring
  • Training
  • Reporting
  • Audit report to management

43
Gaining an Understanding
  • Review prior audits
  • Review policies and procedures relevant to the
    high risk area
  • Review the inspection report and any working
    papers prepared by the Compliance Office
  • Follow up on any recommendations made in the
    inspection report.
  • Review the Institutional Compliance Program
    manual for information relating to the high risk
    area, such as
  • Risk Assessment
  • Assess for reasonableness, any changes, etc.
  • Compliance Program Operations Guide
  • Assess for reasonableness, completeness
  • Method of Monitoring
  • Interview the responsible person, others as
    considered necessary
  • Attend educational conferences highlighting high
    compliance risk areas (!)

44
Testing - Method of Monitoring
  • Determine if the responsible person is monitoring
    compliance as stated in the monitoring plan
  • Review documentation maintained by the
    responsible person to ensure that monitoring is
    being documented
  • Determine if monitoring plan appears reasonable.
    Is it measurable, sufficient to ensure
    compliance, etc. based on auditors understanding
    of the area?

45
Testing - Examples of Audit Tests of Monitoring
  • Method of Monitoring
  • Supervisory review of journal entries by
    Manager of Financial Reporting.
  • Audit procedure
  • Select a sample of journal entries to determine
    if Manager is reviewing and approving journal
    entries.

46
Testing - Training
  • Determine if training is being performed in
    accordance with the training plan
  • Review documentation, such as sign-in sheets,
    etc., to ensure that training is being performed
  • Determine if training plan appears reasonable,
    based on auditors understanding of the area. Is
    the population of employees specified? Do
    responsible persons receive training?

47
Testing - Reporting
  • Determine if reporting is being performed in
    accordance with the reporting plan
  • Review documentation, such as quarterly reports
    and compliance committee meeting minutes to
    ensure that reporting is being performed

48
Audit Reporting Process
49
Exit Conference
  • First, an exit conference is held with the
    responsible person and any others deemed
    necessary to discuss potential findings and
    recommendations

50
Audit Report
  • Then, a report is drafted. When the responsible
    person is satisfied and the report has gone
    through appropriate levels of review, it is
    addressed to the President and given to the
    following
  • Responsible person
  • Responsible persons supervisor (Dean, VP, etc.)
  • Members of the Audit and Compliance Committee
  • Compliance Officer
  • Assistant Compliance Officer(s)

51
Audit Report
  • Background Describes the compliance program,
    applicable policies and procedures, risks of
    noncompliance
  • Audit Objectives purpose of the audit
  • Scope and Methodology Details of what we did to
    achieve the audit objectives
  • Summary of Significant Findings if any
  • Audit Results Managements Responses positive
    features of the compliance program, and any
    recommendations for improvement
  • Conclusion As to the effectiveness of the
    compliance program

52
Audit Report
  • Usually any high risk area audit recommendations
    are classified as significant to operations
  • If the recommendation does not significantly
    affect the monitoring, training, or reporting
    functions, then it is classified as significant
    to the high risk areas compliance operations

53
Audit Report
  • Why do we put compliance recommendations in
    the audit report?

54
Audit Report
  • So
  • they
  • will
  • be
  • implemented!

55
High Risk Areas
56
High Risk Areas
  • Environmental Health Safety - proper use
    and handling of dangerous materials, lab safety,
    and fire safety
  • Research - research not conducted in
    accordance with approved protocol or federal
    regulations
  • Contract Administration / Effort Reporting -
    improper effort reporting on federal grants,
    unallowable costs
  • Intercollegiate Athletics - adherence to the
    rules and regulations of the NCAA
  • Student Financial Aid Student eligibility,
    fiscal management in accordance with Education
    Department
  • High Risk Areas to be discussed in this track

57
High Risk Areas (continued)
  • Clinical Billing - medical billing that is not
    appropriately documented and coded
  • Endowments - adherence to terms of endowment
    agreement
  • Asset Management - safeguarding of physical and
    financial assets
  • Human Resources - adherence to applicable
    rules, regulations and laws including equal
    opportunity/affirmative action, leave
    administration, and fair hiring practices
  • Information Resources/Security - systems
    integrity/continuity/availability, security
    regulations, and external access
  • Privacy (HIPAA, FERPA, Graham-Leach-Bliley)
    improper disclosure of private/sensitive/protected
    information

58
Environmental Health Safety
J.J. Pickle Research Campus
Regulatory Agencies
Pulse Reactor
59
Research
60
Intercollegiate Athletics
61
Resources
  • www.utsystem.edu/compliance
  • www.utsystem.edu/AUD
  • www.theiia.org
  • www.coso.org

62
Questions?
About PowerShow.com