SUSTAINING A COMPLIANCE PROGRAM

Transcription

1 SUSTAINING A COMPLIANCE PROGRAM Charles G. Chaffin, CPA, CIA Chief Audit Executive and System-wide Compliance Officer The University of Texas System June 3, 2008 Conference for Effective Compliance Systems in Higher Education

2 Keeping Zip in Your Compliance Program Keep the boss engaged Keep the message fresh Perform continuous risk assessment Make compliance personal Focus on what is important Utilize all available resources Perform continuous evaluation

3 Keep the Boss Engaged Active and lively Compliance Committee meetings Regular (at least monthly) activity reports emphasizing a process that prevents or minimizes a potentially significant problem. how an effective compliance program creates positive PR for institution and/or boss. Continuous exposure to peer events Compliance In the News at least weekly

4 Keep the Message Fresh Multiple delivery mechanisms for training Web, , Instructor-led, Video vignettes Unusual and attention-grabbing content Scenarios, Contests, Q&A sessions Make it personal Keep the theme constant; but emphasize the hot topic Doing the Right Thing, Conflict of Interest, IT Security

5 Perform Continuous Risk Assessment Replace periodic detailed risk assessments with a process that continuously monitors the institution s risk environment for New risks IT Security, Clinical Research Billing Current risks whose significance to the success of the institution changes Student Loans Disappearing risks Equipment Triggers that would cause a new detailed risk assessment to be performed New governance or executive management team

6 Make Compliance Personal Identify those involved in each step of the risk management process, specifically those who: Perform, monitor, report, and apply consequences of non-compliance Include employee s compliance footprint in performance evaluation Reward for Doing the Right Thing Remediate and sanction for poor footprint

7 Focus on What is Important (1 of 2) First, determine the set of controls that provide the most effective means of managing the portfolio of risks in a process or activity A single control usually works on multiple risks Identify the significant controls that manage the critical risks and most of the other risks Usually includes these universally applicable controls: (1) documented polices and procedures, (2) training staff, (3) reconciliations, (4) segregation of duties, and (5) supervisory review

8 Focus on What is Important (2 of 2) Second, apply the quality and monitoring controls with the correct intensity. The intensity depends on: the criticality of the risk: Critical risks require detailed redo of transactions Medium risks may need redo of only a sample or simply an analytical review of accumulated data Low risks may need no quality/monitoring controls the composition of the transaction universe: Stratify by dollars, type transaction, activity, etc and apply quality/monitoring controls to selected strata only

9 Utilize All Available Resources Stakeholder Feedback Complaints, suggestions, questions Subject Matter Peer Review Teams External, Independent Assurance Providers Federal, state, and donor auditors Accreditation Teams (SACS, JACHO) Certification Auditors (ISO, SOX, etc.)

10 Continuous Evaluation Survey employees Analyze hotline and complaint activity Benchmark Obtain periodic external Peer Review Remember DISASTER is just around the corner

11 Questions