Best Practices in Implementing an Effective Compliance Program by suf46043


									Best Practices in Implementing an
  Effective Compliance Program

                    Presented By

         David B. Crawford,        CIA, CCSA

           Justina Crawford,       MA, BME

• Introduction
• Essentials of An Effective Compliance Program
• How to Begin
• The First Six Months
• Code of Conduct and General Compliance

• Risk Assessment
• Managing the Critical Risks
• Assurance Strategies
• Handling Potential and Actual Instances of
• What About the Non-critical Risks?
• What‘s Next?
Compliance Program Objective

To provide an infrastructure that
facilitates on-going assurance
that the institution is complying
with internal and external laws,
regulations, policies, and
          Essential Elements
• Compliance standards and procedures
• High level manager in charge
• Communicate what is important to all
• Monitor and Audit
• Confidential Reporting Mechanism
• Consistent enforcement and discipline
• Respond, learn, and adjust
         Compliance & COSO
• Control              • Standards & high level
  Environment            manager in charge
                       • Communicate what is
• Risk Assessment
• Control Activities
                       • Monitoring Plans
• Information &        • Awareness and
  Communication          reporting mechanisms
• Monitoring           • Monitor and Audit
    Developing the Action Plan
• Ad hoc committee to develop plan
• Outside assistance
• Words are so important
• Approval from highest authority possible
• It takes longer than you think
• It must have relevance to each individual
          The First Six Months
• Establish the compliance committee structure

• Appoint a Compliance Officer

• Establish a compliance function

• Train the infrastructure employees
     Compliance Committees

• Executive Compliance Committee (ECC)

• Compliance Working Committee (CWC)

• High-risk Sub-committees
               ECC Purpose

• To provide the executive level decision-
 making function for the institution‘s
 compliance program

• To serve as an extension of the Board in
 providing the oversight function for the
 compliance program at the institution
   ECC Duties and Responsibilities
       Provide Guidance & Direction
• Establish the policies for the compliance
• Set the ―tone at the top‖ for the institution‘s
  commitment to ethics, integrity, and doing
  the right thing
• ―Walk the talk‖: that is, provide continuous
  example of how the institution expects
  employees to act
   ECC Duties and Responsibilities
     Allocate Appropriate Resources
• Appoint an senior executive as the
  Compliance Officer

• Appropriate resources are dictated by the
  complexity of the compliance environment
  of the institution
  – Resources include budgets specifically for
    compliance infrastructure activities and the
    structuring of compliance activities into normal
    operational duties
    ECC Duties and Responsibilities
Oversee the Institution‘s Compliance Program
• Understand the compliance risk picture of
  the institution
• Approve the Annual Compliance Operating
  Plan to manage the institution critical
  compliance risks
• Monitor the execution of the plan to manage
  compliance risks
• Review sanctions (for significant non-
  compliance instances) and rewards (for
  exemplary compliance efforts) to ensure
  equity and consistency
 ECC Composition and Operation
• Senior executives
• Size is determined by compliance
 complexity and operating philosophy
• Meetings should be as frequently as
 necessary to perform duties and
 responsibilities but at least Quarterly
• Maintains minutes of meetings
Compliance Working Committee
• Composition – the responsible party from
  each high-risk area
• Duties
  – Receive periodic activity reports from each
    high-risk area
  – Perform specific tasks assigned by Compliance
  – Recommend the Critical Risks to the ECC
  – Act as Compliance Advocates & Cheerleaders
High-Risk Area Sub-Committees
• Leader - Compliance Working Committee
  Member from High-risk area
• Members – Employees representing each
  risk in the high-risk area
• Duties
  – Perform risk assessment of the High-risk area
  – Determine Critical Risks for the high-risk area
  – Develop monitoring, specialized training, and
    reporting plans for the critical risks in the
    high-risk area
    The Compliance Officer?
   Current Executive Staff Member
• Pro
  – Knows the culture
  – Immediate start
  – Network already established
  – No reallocation of resources required
• Con
  – Not the main job
  – Compliance perceived as part of functional
  – Possibly conflicts with regular duties
      The Compliance Officer?
 Create a New Executive Staff Position
• Pros
  – Main job
  – Not attached to an existing functional area
• Cons
  – Hiring process takes time
  – Must learn institutional culture
  – Must develop personal network
  – Delays program implementation
  – Reallocation of institutional resources required
 Compliance Officer Responsibilities
• Make compliance a part of everyday
  activities of the institution
• Monitor the various compliance program
• Communicate with the chief executive
  officer and others regarding compliance
  program activities
• Establish a compliance function
   Making Compliance a Part of
       Everyday Activities
• Awareness communication avenues
• Risk-based plan and compliance manual
• Training tools and delivery mechanisms
• Monitoring plans and assurance processes
• Confidential reporting mechanism
• Reporting procedures
  Monitor Compliance Program
• Training

• Critical risks monitoring plans

• Monitoring of Non-compliance
         Communicate with
       Executive Management
• Instances of non-compliance that require
  executive action
• Risk-based plan
• Monitoring activities
• Compliance Working Committee meeting
• Compliance program self-assessment
Establish the Compliance Function

• Robust compliance function

• Coordinator compliance function

• Informal compliance function

• No compliance function
    Robust Compliance Function
• Complex compliance environment
• Full-time compliance officer
• Full-time support staff
• Separate budget and organizational chart
• Absorbs previously independent compliance
  activities such as medical billing or
  environmental health & safety
• Usually found in health-related and major
  research-oriented institutions
Coordinator Compliance Function
• Complex compliance environment
• Compliance Officer has other pre-existing
  responsibilities and devotes little time
• Delegates daily operation of the compliance
  program to a ―coordinator‖
• Full-time support staff, usually with
  separate budget
• Usually found in academic institutions with
  some research, intercollegiate athletics,
  on-campus housing, etc.
   Informal Compliance Function
• Limited compliance environment

• Full-time compliance officer

• Support staff comes from existing
 institutional operating units such as EH&S,
 internal auditing, human resources, etc

• Budget limited and may be buried
      No Compliance Function
• Limited compliance environment
• Compliance officer has other pre-existing
  functional responsibilities
• Support provided by compliance committee,
  other institutional units, and outsiders
• Budget usually for external help only
• Usually found in small institutions engaged
  mostly in undergraduate instruction
      Compliance Officer and
        Function Summary
• Big job
• Compliance officer must be a
• Compliance coordinator and staff need
  consultant, assurance provider mentality
• Start-up decisions and long-term
  decisions may not be the same
            Code of Conduct
• Be careful of the words used

• Do not establish new policies and

• Use a committee with broad representation
  of the university community to develop

• Include faculty up-front
  General Compliance Training
• Curriculum
• Content
• Testing for Knowledge Transmission
• Delivery Mechanisms
• General Compliance Training Plan
  – Initial effort
  – Subsequent years
           Risk Assessment:
    Definition of Compliance Risks

• A compliance risk is the likelihood that an
 employee (faculty, administration, or staff)
 will fail to follow an internal policy or
 procedure or an external law, rule or
 regulation that applies to the activity in
 which they are engaged.
       Risk Assessment Process
• Perform compliance risk assessment for each risk
  area of the institution
• Present area risk matrix to the Compliance
  Working Committee
• CWC prepares a risk matrix for the institution that
  includes each area and its critical risks
• CWC then re-determines the impact and
  probability of these risks from an institution
  perspective rather than an area perspective
• The result is the Institutional Compliance Risk
       How To Determine Your
            Critical Risks
• This is determined by each institution
• Guidelines might be:
  – Items with HH and HM values (high
    impact/high probability and high
    impact/medium probability) should be on
    critical list
  – Items with HL and MH may be on critical list
   Validate Your Critical Risk List
• Compare your institutional critical risks to
  similar institutions or to available models

• Be able to explain rationale for any item on
  your critical list that is not on the other
  institution or model risk list

• Be able to explain rationale for any item on
  other institution or model risk list but not
  on your critical list
        What About All the Other
           Compliance Risks
• Critical risks at every level must be
• Critical risks at every level require
  – Responsible party
  – Monitoring plan
  – Specialized training plan
  – Reporting plan
• Difference between critical risks at the
  different levels is who performs the
  oversight, on whom, and for whom
       Oversight Controls for
      Critical Risks at All Levels
                                       Who         On Whom        For Whom
Institutional      Critical          Provides      Oversight is   Oversight Is
   Level            Risks            Oversight      Provided       Provided
                   Covered           Controls

                  Institution        Compliance     Responsible   Chief Executive
                 Critical Risks      Officer and       Party          Officer
Institution                           Function

                    Risk Area         Risk Area
 Risk Area      critical risks not   Responsible    Work Unit      Compliance
                included above          Party      Management        Officer

                Work Unit risks       Work Unit     Work Unit       Risk Area
Work Unit       not included in      Management     Employees      Responsible
                 either above                                         Party
          Keep Up with
    Changing Risk Environment
• Centralized office to monitor external
• High Risk responsible parties monitor their
  respective high risk area internal and
  external environment
• Compliance Working Committee discusses
  environment and potential changes as a part
  of every meeting
• Annual assessment of both internal and
  external environment
    Risk Assessment Summary
• Risk environment for your institution is
• Risk environment continuously changes
• Risk ranking changes with the environment
• Risk assessment is on-going, not periodic
• Be Prepared for change by Managing the
  Critical risks at every level of the institution
        Managing Critical Risks
 Elements required for managing compliance
  critical risks
 Essential role of the responsible party in managing
 Attributes of monitoring plans that must be
 Specific details required for training plans
 Activities that should be reported in a sound
  reporting plan
 Definitive lessons that can be learned in the
  management of critical risks
 Four Elements Required for
   Managing Critical Risks
 Responsible party

 Monitoring plan

 Specialized training plan

 Reporting plan
Responsible Party Characteristics

 Exclusive responsibility for managing
  the risk

 Knowledge to manage the risk

 Authority to manage the risk
               Lesson Learned
• If more than one responsible party is indicated, it
  usually means:
  -- Risk should be split into multiple risks.
  -- One of the responsible parties does not fulfill
  the requirements of a responsible party; usually
  the authority to manage is the requirement not
  -- True responsible party does not want to
  acknowledge responsibility.
            Lesson Learned
• The Chief Executive Officer has a vested
interest in having the appropriate staff
member designated as the responsible party
for each high-risk area because the
responsible party is the CEO‘s direct
representative in the on-going, everyday
compliance assurance network.
            Monitoring Plan
• Every step in a monitoring plan should
  already exist in the policies & procedures
  that manage the risk
• The monitoring plan serves as the criteria
  for all types of assurance services
• The monitoring plan must include Level 1,
  Level 2, and Level 3 controls
• The monitoring plan must indicate the
  documentation that is created by each of
  the levels of control
                      Assurance Continuum
                    Levels of Control in COSO
                              Collaborative Assurance
                   (Governance and Management Control Processes)

  I----------I                      Periodic Assurance                    I----------I
                              (Governance Control Processes)

                   I------------ On-going Assurance ------------I
                             (Management Control Processes)

  Level 4            Level 1             Level 2           Level 3         Level 4
  Controls           Controls            Controls         Controls         Controls
(Internal Audit)     (Execution )       (Supervisory)     (Oversight)    ( Internal Audit)

 Pre-operations      During              Immediately       Soon after    Post-operations
 design review       execution of       after execution   execution of   audit of
 of on-going         event or             of event or        event or    execution of on-
 assurance           transaction          transaction      transaction   going assurance
           Level 1 Controls
            (Execution Controls)

• Embedded in day-to-day operations
          – Policies and procedures
          – Segregation of Duties
          – Reconciliations/Comparisons
• Performed on every event/transaction
• Performed by the generators of the
• Performed in ‗real time‘ as the
  event/transaction is executed
             Level 2 Controls
               (Supervisory Controls)

• Re-application of operating controls
   – Supervisory Review; Quality Assurance; Self Assessment

• Performed very soon after the generation
of the event/transaction
• Performed by line management or staff
positions who do not originate the
• Performed on a sample of the total
number of events/transactions
            Level 3 Controls
           (Oversight Controls)
• Exception reports, status reports, analytical
  reviews, variance analysis
• Performed by representatives of executive
• Performed on information provided by
  supervisory management
• Performed within a short period
  (weeks/months) after the event/transaction
  is originated
            Level 4 Controls
           (Internal Audit Controls)
• Audit of the design of controls not the
  operation of controls
• Performed either before the
  event/transaction is originated or long after
• Performed by staff with no involvement in
  the operations
• Performed on individual events/transactions
  for discovery only
          Lesson Learned

• The best place to seek and get help in
  developing an appropriate monitoring
  plan is your internal audit department.
     Specialized Training Plan

• Who is trained
• Level of knowledge transferred
• Frequency of training
• Provider of training
      Specialized Training Matrix

                      Level of
    Who Is          Knowledge      Frequency of       Trainer              Testing
    Trained          Transfer        Training        Provider           Methodology
Staff who         Detailed         New hires     In-house staff   Test at end of
perform           knowledge of     Changes                        training
execution         control          Non-
controls          procedures         compliance
Staff who         Detailed         New           External         Test for content at
perform           knowledge of       supervisor    parties          end of training
supervisory       policies &       Changes
controls          procedures       Failure to    In-house         Test for concepts
                                     apply these   oversight        through failure
                                     controls      staff            analysis
Compliance        General          Prior to      In-house staff   Quality review
function staff,   knowledge of       performing                     process of
internal          P&P; detail        assurance                      assurance provider
auditors, peer    knowledge of       services                       Organization
review teams      control steps
    Reporting Plan should include:
 Activity to be reported
 —Supervisory control activities detailed in
   monitoring plan
 —Training activity detailed in training plan

    Items to be reported for each activity,
     such as number of transactions examined
     or number of employees trained

    Frequency of reporting for each activity

    Who receives the report for each activity
    Supervisory control activities
          to be reported:
• The number or percentage of execution events or
  transactions in the universe and number
• The number or percentage of execution events or
  transactions that failed the control attribute
• The identified causes of failure
• The action taken to mitigate repetitive failure
• The need for process improvement
• The need to escalate the consequence of non-
  compliance to mitigate repetitive non-compliance
 Number of purchase contracts reviewed from the
  universe of contracts
 Number of purchase contracts that did not satisfy
  the competitive bidding process
 Identified causes of failure - such as, personal
  preference of requestor
 Action taken - such as, provided training to all
 Process changes - such as modify computer
  program to include RFP# and Award Designation
 Second instance for requestor - need to remove
  budget spending authority
            Lesson Learned
• Managing the critical risks is a learning
  process that provides information about
     –    Level of compliance
     _    Instances of non-compliance and
          why they occur
     _    Effectiveness and/or need for
          specialized training
    Managing Critical Risks Summary
•   ―Responsible party‖ should have exclusive
    responsibility for the risk, knowledge to manage the
    risk, and authority to manage the risk.

•   A monitoring plan is not new controls but an
    organized method of displaying controls that already
    should exist.

•   Monitoring plans include execution, supervisory, and
    oversight controls and how they are documented

•   Monitoring plans are the road map for all assurance
    Managing Critical Risks Summary
•   A specialized training plan includes who will be
    trained, training content for each target group,
    training provider, and measurement techniques that
    will be used.

•   A reporting plan includes what activity will be
    reported, the details to be reported for each activity,
    and to whom the reports will be directed.

•   Managing the critical risks provides the ability to
    improve operations performance
           Assurance Strategies
 Assurance strategies increase the confidence level
  that others have in the reliability and relevance of
  the compliance function.
 The goal is to give assurance about managing the
  critical risks and the compliance function
 Strategies are:
    Certification
    Inspections and Agreed-upon procedures
    External Expert Peer Reviews
    Audits
    Other External Assurance Providers
Given by each manager or responsible party for their
Are essentially self-assessments
Say that responsible parties are performing all
 operating and monitoring controls that are required
Usually provides minimum confidence level
Signed certifications provide increased value
Are greatly enhanced if validated by compliance or
 internal auditing personnel
Should be used for every operational unit
            Lesson Learned

 Certifications should be used for every
 operational unit - even if additional
 assurance strategies are used.
    • Provides level of assurance for
      functional areas
    • Pushes managers to find out what is
         happening in their units before they
Are oversight controls
Are on-going during current operating
Emphasize that responsible parties perform
 their supervisory controls
Indicate that the plan in place to manage
 the critical risks is being followed
 Criteria for the inspection process

• Uses the monitoring plan
• Uses the specialized training plan

  Compliance personnel (or others) examine
  records, individual transaction documentation,
  and corrective action documentation (if
  needed) and ensure correct reporting to the
  compliance officer.
         Lesson Learned

 Acceptable inspection programs require the
 examination of   DOCUMENTED evidence

  –To verify that supervisory controls were

  – To verify that corrective action was taken if
       Agreed Upon Procedures
Performed by Internal Auditing function

 An assurance for the compliance officer - almost exactly
  like an inspection
 Results are only reported to the Compliance Officer and
  Compliance Committee
 For Internal Auditing, this is a consulting service – not an
 Procedures are actually contracted with the internal
  auditing department
 Internal auditing staff are working for the compliance
           Lesson Learned

 When internal auditing is performing
 the oversight function under contract or
 agreement with the compliance officer,
 the process is NOT an audit.
  External Expert Peer Reviews
• External subject matter experts perform
  the review

• Professional stature of the peer review
  team will affect the value of the review

• External peer reviews may be the only
  feasible way to obtain assurance
Types of External Peer Reviews
1.   In lieu of compliance oversight
       — Provided for compliance officer
      — Provided by external peer review team subject
     matter experts
2.   In lieu of internal audits
        — Provided for CEO and governance function
        — Provided by external peer review team subject
        matter experts
3.   Of the compliance program
        — Provided for CEO and governance function
        — Provided by external peer review team
         Lesson Learned

The compliance officer and compliance
 committee should have a formal
 agreement with the peer review team
 that is signed by each team member.

 Agreement should address confidentiality,
 who will receive the report, how to
 transmit sensitive information,
 destruction of working notes, etc.
• Subject to professional standards of the internal
• Criteria used by the internal auditor would be the
  monitoring plan and specialized training plan for
  the critical risks
• Audit program will be designed to ensure that risks
  are properly managed with special emphasis on
  oversight controls and supervisory controls
• Working papers are the property of the internal
  auditing department
• Audit report is through normal audit process
                   Audits . . .
design audits
 –Requests to audit the design of the compliance
 –Internal Auditor and executive management
    agree upon the purpose of the audit

information validation audits
 –Requests for independent, objective party to audit
 –Three parties involved – group seeking assurance
 (executive management), group providing the
 information in question (compliance program), and
 the assurance provider (internal auditing)
           Lesson Learned
If specific instances of non-compliance are
 identified during the execution of the audit
 program, the internal auditor should report
 those specific instances of non-compliance
 to the compliance officer and the
 compliance committee.

 Specific instances of non-compliance will
 not be in the audit report.
 Other External Assurance Providers

• Compliance officer, CEO, and governance
 function obtain assurance from other
 assurance providers.

 — JCAHO                      — External auditors

 — Accreditation teams (SACS) — Federal auditors

 — Regulators
             Lesson Learned

Reports of all external evaluations
 should be filed with one particular
 institutional official, such as the general
 counsel, the internal auditor, the
 director of institutional research, or the
 chief risk officer.
  This will eliminate redundancy and will provide
  opportunities to distribute reports to all affected
          Deciding Which
     Assurance Strategy To Use
Criteria depends on:
 • significance of the risk
 • prior experience with risk and its
 • availability of cost effective assurance
 • confidence level needed
Assurance Strategies Matrix
Assurance Strategy    Provided by            Provided On           Provided For
Certification      Responsible Party      Responsible Party     Compliance Officer
Inspection         Compliance             Responsible Party     Compliance Officer
                   Function                                     & Chief Executive
                                                                Officer (CEO)
Agreed Upon          Internal Auditing    Responsible Party     Compliance Officer
Design Audit         Internal Auditing    Compliance Officer CEO & Governance
Information          Internal Auditing    Responsible Party & CEO & Governance
Validation Audit                          Compliance
External Peer        External peer        Responsible Party   Compliance Officer
Review (in lieu of   review team of
compliance           subject matter
oversight)           experts

External Peer        External peer        Responsible Party & CEO & Governance
Review (in lieu of   review team of       Compliance
Internal Auditing    subject matter       Function
information audit)   experts
External Peer        External peer        Compliance Officer,   CEO & Governance
Review (of the       review team          Compliance
compliance                                Function and the
program)                                  Compliance
Other External       Accreditation Team   Responsible Party     Compliance Officer,
Assurance            External Auditors                          CEO, &
Providers            Regulators                                 Governance
     Assurance Strategy Summary
•   The primary focus of assurance is to
    increase the confidence of decision-
    makers to an acceptable level at the
    lowest cost.
•   Each strategy is defined by service
    provided, provider, and information being
•   The examples presented show a wide
    range of strategies that give assurance.
      Confidential Reporting
• Methods Available

• Triage Process

• Relationship to Other Reporting Sites
        Lesson Learned

• Confidential reporting mechanisms can
 not and should not be the primary
 mechanism for discovering and
 correcting non compliance!!!!!!!!
Line Management Responsibilities
• Process policies and procedures are the
  primary mechanism for discovering and
  correcting noncompliance
• Line management from the first line
  supervisor to the chief administrative officer
  are responsible for taking corrective action
  in cases of noncompliance
 Pre-Determined Consequences for
• Ensures consistent, equitable action

• Influences employee and manager

• Fulfills the Federal Sentencing Guidelines
  requirement for discipline and corrective
What About Those Risks That Do Not
      Make the Critical List?
• Manage at the appropriate level

• Be sure the four essentials are present
  – Responsible party
  – Monitoring Plan
  – Specialized Training Plan
  – Reporting Plan

• Be prepared for changes in your risk
             What‘s Next?
           Learn and Renew
• Develop a self assessment instrument

• Conduct a self assessment

• Undergo an External Peer Review

• Develop a new Action Plan

• Do It!

To top