Auditing ADA-IT Compliance: How to Leverage Judgments from Other Institutions

Transcription

1 Auditing ADA-IT Compliance: How to Leverage Judgments from Other Institutions Presenter Deena King Director of Compliance Texas Woman s University Introduction TWU, You, and the Agenda 1

2 About Texas Woman s University The nation s largest university primarily for women Founded in 1901 Girls Industrial College Located in Denton, Texas Denton 12,868 Dallas 1,426 Houston 1,361 Total: 15,655 About Texas Woman s University Part and Full time Faculty/Staff: 1,328 Adding GA, Adjunct, Students: 2,200 (as of ) Undergraduate/Graduate: 66.5%/33.5% Women/Men (1972/1994): 87.5%/12.5% 2

3 Management Principle Seek first to understand, then to be understood. Stephen R. Covey The Seven Habits of Highly Effective People About You: Survey 1 How many of you are new to compliance audit? 2 How many of you are experienced with compliance audit? 3 How many of you just did not want to go to another session? 3

4 About You: Survey 1 Audit Committee? 2 Chief Audit Executive? 3 Director? 4 Manager? 5 Auditor/Sr. Auditor? About You: Survey In your organization Do you have an institutional ethics and compliance (E&C) program? Is E&C separate from internal audit? Is E&C combined with internal audit? 4

5 About You: Survey How many of you attended my session last year? If yes, be prepared for some repetition. Agenda Overview of the primary compliance activities/principles Three primary levels of internal controls Eight controls activities required by the federal guidelines Apply these principles to ADA Web Access How to leverage judgments Popular management principles 5

6 Compliance in Higher Ed Compliance is not new to higher education. Some universities have had institutional compliance programs for over 20 years. Compliance Activities and Principles The Framework 6

7 Management Principle Concentrate on building an organization building a ticking clock rather than telling time...take an architectural approach and concentrate on building organizational traits Jim Collins & Jerry Porras Built to Last, pp (paraphrased) Primary Compliance Activities and Principles Three levels of control IIA Lines of Defense Organizational Hierarchies COSO Integrated Framework Eight Effective Compliance Program control activities 7

8 Three Levels of Internal Control Control Objective: Verify there are internal controls in place at all three levels Board Governance Management Executives; Directors Managers; Front Line Performance/Operational IIA s Three Lines of Defense Control Objective: Verify there are internal controls in place at all three levels Management Board Operations 8

9 IIA s Three Lines of Defense U.S. Sentencing Guidelines (aka Federal Sentencing Guidelines or FSG) 9

10 U.S. Sentencing Guidelines (aka Federal Sentencing Guidelines or FSG) Three Levels of Internal Control Board: The organization s governing authority shall be knowledgeable and shall exercise reasonable oversight USSG 8B2.1.b.2.A (emphasis added) 10

11 Three Levels of Internal Control Management: High level personnel of the organization shall ensure that the organization has an effective compliance and ethics program. USSG 8B2.1.b.2.B (emphasis added) Three Levels of Internal Control Operational: Specific individual(s) within the organization shall be delegated day to day operational responsibility for the compliance and ethics program. USSG 8B2.1.b.2.C (emphasis added) 11

12 Three Levels of Internal Control and COSO COSO Cube Control Objective Verify there are internal controls in place at all levels U.S. Sentencing Guidelines (aka Federal Sentencing Guidelines or FSG) 12

13 U.S. Sentencing Guidelines (aka Federal Sentencing Guidelines or FSG) The Eight Control Activities at TWU 1 1. Identify Requirements/Assess Risk 2. Establish/ Modify Compliance Organization 3. Document Standards, Policies, and Procedures 4. Communicate Standards, Policies, and Procedures 5. Implement, Promote, and Enforce 6. Monitor, Audit, and Report 7. Continuous Improvement 8. Leadership/Campus Culture 1 Adapted from Compliance in One Page Used with permission. 13

14 Continuous Improvement Laws Regulations Regulators Identify Requirements/ Assess Risk Laws Regulations Regulators Monitor, Audit, and Report TWU Compliance Process: The Model 2 Leadership/ Campus Culture Establish/Modify Compliance Organization Document Standards, Policies, and Procedures Implement, Promote, and Enforce Communicate Standards, Policies, and Procedures Disclaimer: This model is provided as guidance only and can be modified to meet your needs. This document does not guarantee prevention of lawsuits, judgments, or fines and is not a substitute for the advice of an attorney. All information is provided without warranty, express, implied, or otherwise, including as to their legal effect and completeness. 2 Adapted from Compliance in One Page Used with permission. Workshop: The Eight Control Activities The Eight Control Activities 1. What should the Board be doing? 2. What should management be doing? 3. What should people on the front lines be doing? 14

15 Leveraging Judgments from Other Institutions Case Study: Miami Ohio ADA IT (Web Access) The Eight Control Activities at TWU 1 1. Identify Requirements/Assess Risk 2. Establish/ Modify Compliance Organization 3. Document Standards, Policies, and Procedures 4. Communicate Standards, Policies, and Procedures 5. Implement, Promote, and Enforce 6. Monitor, Audit, and Report 7. Continuous Improvement 8. Leadership/Campus Culture 1 Adapted from Compliance in One Page Used with permission. 15

16 Applying the Three Lines ADA-IT Web Access From Two Angles IIA Consulting (Implementation) and IIA Assurance (Operations) 16

17 Background January 2014 Background January

18 Background October 2016 ADA-IT Web Access Implementation: Leveraging Judgments as an Internal Audit Consultant 18

19 IIA Standards - Consulting Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice the internal auditor, and (2) the person or group seeking and receiving the advice the engagement client. When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility. Internal Audit Consulting Engagement Organization s Assumption: We are not in full compliance and are setting up a team to get us there. 19

20 Initial Sources Compliance News, Blogs, s, Notifications Alternate Sources NACUA Resource Library Attorney Blogs SME Blogs 1a. Identify Requirements Primary Sources Consent Decrees NACUA Research 20

21 NACUA Research Legal and Regulatory Developments in Digital Accessibility, June 26 29, 2016, by Teresa L. Jakubowski o Laws and Regulations o Case Law o Settlements and OCR Resolution Agreements o Multiple lists of summary university agreements o Rulemaking NACUA Research No Speed Limit: Avoiding ADA Roadblocks and 504 Potholes, March 11 13, 2015, by Jeanne M. Kincaid o o o o o o o Accessibility Audit EIT Accessibility Policy and Procedures University Websites Procurement Library Course/Learning Management Systems Other Fantastic Comparison Table 21

22 Introduction p. 23 (PDF) Consent Decrees (i.e. Judgments) 22

23 Summary of Miami-Ohio Decree 18 categories 50 prescriptive tasks Applicable deadlines 2 months 6 months 18 months Entire timeline 2.5 years 1 1Expected to be fully compliant by the end of the academic year Internal Audit Consulting Engagement Recommendation: Someone convert the contents of the Consent Decree (and other research) into an Action Plan. 23

24 5Within six (6) months 9/12/2017 Sample Task Based on Consent Decree Done? (Yes/No/Partial) and Status Item # and Brief Description Details Who When* TWU Compliance Step B. Web Content Accessibility 21. Within six (6) months of the entry of this Consent Decree Miami will: B.21.a Requirements for new and redeveloped content a. Subject to Paragraph 22, infra, provide in conformance with the World Wide Web Consortium's ("W3C") Web Content Accessibility Guidelines ("WCAG") 2.0 AA all new (i.e., non existent until on or after entry of this Consent Decree) and redeveloped (i.e., existing before entry of this Consent Decree but substantially changed in terms of functionality or structure) web pages, web applications, and web content, created by Miami, on websites and subdomains used for Miami's academic divisions, academic departments, and administrative offices (listed at Exhibit A). Plain English, Please! 21.Within six (6) months of the entry of this Consent Decree Miami will: a. Subject to Paragraph 22 [videos and electronic documents], infra, provide in conformance with the World Wide Web Consortium's ("W3C") Web Content Accessibility Guidelines ("WCAG") 2.0 AA all new (i.e., non existent until on or after entry of this Consent Decree) and redeveloped (i.e., existing before entry of this Consent Decree but substantially changed in terms of functionality or structure) web pages, web applications, and web content, created by Miami, on websites and subdomains used for Miami's academic divisions, academic departments, and administrative offices (listed at Exhibit A). 24

25 1b. Assess Risk What do we currently have in place? Where are we strong? Where are we weak? Are we at risk of lawsuits/judgments? Where should we start? 2. Establish/Modify Compliance Organization Possible Team Composition ADA (HR and Student Life) IT Marketing/Communications Learning and Teaching with Technology Compliance Audit (IIA Consulting) 25

26 Steps Document Standards, Policies, and Procedures Have they designed an Action Plan based on what was learned in Step 1a? Much of what will happen in this step is creating procedures for operational personnel. 4. Communicate Standards, Policies, and Procedures Does the Plan have a communications component? Part of this is creating training for operational personnel. Steps Implement, Promote, and Enforce Are they executing the Plan? 6. Monitor, Audit, and Report Is someone monitoring execution of Plan? Reporting to Cabinet? Is audit provided exemplary internal controls guidance? 26

27 Steps Continuous Improvement Is there a process for making changes to the Plan as new issues emerge? 8. Leadership/Campus Culture Monitor behavior of leaders and culture during the process The Eight Control Activities at TWU 1 1. Identify Requirements/Assess Risk 2. Establish/ Modify Compliance Organization 3. Document Standards, Policies, and Procedures 4. Communicate Standards, Policies, and Procedures 5. Implement, Promote, and Enforce 6. Monitor, Audit, and Report 7. Continuous Improvement 8. Leadership/Campus Culture 1 Adapted from Compliance in One Page Used with permission. 27

28 ADA-IT Web Access Operations: Leveraging Judgments for an Assurance Engagement IIA Standards Assurance Assurance services involve the internal auditor s objective assessment of evidence to provide opinions or conclusions regarding an entity, operation, function, process, system, or other subject matters. The nature and scope of an assurance engagement are determined by the internal auditor. Generally, three parties are participants in assurance services: (1) the person or group directly involved the process owner, (2) the person or group making the assessment the internal auditor, and (3) the person or group using the assessment the user. 28

29 Internal Audit Assurance Engagement Organization s Assumption: We are pretty sure we are in full compliance and would like internal audit to provide some assurance. Three Lines Applied to ADA Web Access Operations 29

30 1a. Identify Requirements Same research, but with a different objective Audit for compliance Miami will comply with the requirements of Title II, the Title II regulation, and the requirements of this Decree. Existing program should contain a lot (but not necessarily all) of what was learned in Step 1a as discussed in Consulting above Allowance Made for Undue Burden Q.63 Requirements for asserting undue burden For any technology related requirement in this Decree for which the University asserts undue burden or fundamental alteration such assertion may only be made by: (a) the President of Miami or (b) an individual designated by the President and 30

31 1b. Assess Risk Assess risk of each item to set priorities Consider organizational constraints when required items are not in place Undue Burden Goal: Coverage Internal Audit Assurance Engagement Major Task: Convert of the Consent Decree (and other research) into an Audit Program. 31

32 Sample Test Using Consent Decree Test No: Objectives Met? Comments and Evidence Key Contact Additional Notes and Findings Audit Objective: Assess the state of the current internal compliance program. Identify gaps and make recommendations. B. Web Content Accessibility B.21.a Requirements for new and redeveloped content 21. Within six (6) months of the entry of this Consent Decree Miami will: a. Subject to Paragraph 22, infra, provide in conformance with the World Wide Web Consortium's ("W3C") Web Content Accessibility Guidelines ("WCAG") 2.0 AA all new (i.e., non existent until on or after entry of this Consent Decree) and redeveloped (i.e., existing before entry of this Consent Decree but substantially changed in terms of functionality or structure) web pages, web applications, and web content, created by Miami, on websites and subdomains used for Miami's academic divisions, academic departments, and administrative offices (listed at Exhibit A). Y/N, NA/P Workshop: Designing Audit Tests 1. Rephrase each item into a plain English control objective. 2. How would you test each control objective? 3. If this control objective is not in place, what would your audit recommendation be? 32

33 2. Establish Compliance Organization Student Disability Services University Accessibility Committee Accessible Technology Specialist Web Accessibility Coordinator Accessible Technology Coordinator Chair of Accessibility Committee 3. Document Standards, Policies, and Procedures Reasonable policies, practices, and procedures Procedures for timely access to accessible textbooks and course materials Accessible Technology Policy How to Make Web Content Accessible Technology Procurement Policy 33

34 4. Communicate Standards, Policies, and Procedures Communicate with students at least once a month Communicate with instructors at least twice a semester Train its personnel who are responsible for converting, or coordinating the third party conversion of, textbooks, workbooks, and course materials for students Accessible Technology Policy Training New hires Faculty, Admins, TAs, etc. Relevant personnel annually 5. Implement, Promote, and Enforce Write a plan to make pre existing web pages, web applications, and web content comply with WCAG 2.0 AA and complete it within 18 months. Cause such third party content, websites, or applications to conform with WCAG 2.0 AA. Make any web content relating to applications for admission or financial aid that Miami posts to its web pages or web applications conform to WCAG 2.0 AA. 34

35 6. Audit, Monitor, and Report Conduct a University wide Accessibility Audit of digital technologies. Miami will obtain an automated accessibility testing tool to evaluate conformance of its web pages and web applications. Provide a method by which visitors to Miami's websites can submit feedback on how accessibility can be improved. 7. Continuous Improvement Within one (1) month of conducting each automated accessibility test, Miami will bring into conformance with this Decree any nonconformance identified. Create an Accessibility Audit Corrective Action Plan that will address, in order of priority, the following findings of the University wide Accessibility Audit. By the conclusion of the academic year, Miami will remedy the findings of the University wide Accessibility Audit. 35

36 8. Leadership/Campus Culture Miami will comply with the requirements of Title II, the Title II regulation, and the requirements of this Decree. Miami must take appropriate steps to ensure that communications with individuals with disabilities are as effective as communications with others. 8. Leadership/Campus Culture Miami will comply with the requirements of Title II, the Title II regulation, and the requirements of this Decree. Miami must take appropriate steps to ensure that communications with individuals with disabilities are as effective as communications with others. 36

37 The Eight Control Activities at TWU 1 1. Identify Requirements/Assess Risk 2. Establish/ Modify Compliance Organization 3. Document Standards, Policies, and Procedures 4. Communicate Standards, Policies, and Procedures 5. Implement, Promote, and Enforce 6. Monitor, Audit, and Report 7. Continuous Improvement 8. Leadership/Campus Culture 1 Adapted from Compliance in One Page Used with permission. The Eight Control Activities at TWU 1 1. Identify Requirements/Assess Risk 2. Establish/ Modify Compliance Organization 3. Document Standards, Policies, and Procedures 4. Communicate Standards, Policies, and Procedures 5. Implement, Promote, and Enforce 6. Monitor, Audit, and Report 7. Continuous Improvement 8. Leadership/Campus Culture 1 Adapted from Compliance in One Page Used with permission. 37

38 Internal Audit Assurance Engagement Super Out of the Box: How could what we just discussed be converted to a self audit validation engagement? Management Principle they infused the entire process with the brutal facts of reality [when] you start with an honest and diligent effort to determine the truth of the situation, the right decisions often become self evident. Jim Collins Good to Great, pp

39 Management Principle Synergy [and the] Principles of Creative Cooperation. Stephen R. Covey The Seven Habits of Highly Effective People TWU s Draft Action Plan Compliance Forms and Documents Miami Ohio University ADA IT Decree Draft Action Plan 39

40 Summary Summary Reviewed the primary compliance activities/principles Three primary levels of internal controls Eight controls activities required by the federal guidelines Applied these principles to ADA Web Access Leveraging as an internal controls consultant Leveraging during an audit assurance engagement Popular management principles 40

41 Questions (If Time Allows)?? Thank you!! Auditing ADA-IT Compliance: How to Leverage Judgments from Other Institutions Presenter Deena King Director of Compliance Texas Woman s University dking16@twu.edu 41