Auditing and Monitoring in an Effective Institutional Compliance Program

Transcription

1 Auditing and Monitoring in an Effective Institutional Compliance Program 6 th Conference for Effective Compliance Systems in Higher Education Presented by David B. Crawford, Audit Manager Emeritus The University of Texas System And Mary Cook, Director of Contracts and Institutional Compliance University of Houston Downtown 1

2 Topics Revised Federal Sentencing Guidelines Defining Auditing and Monitoring Developing and Using the Monitoring Plan Compliance Office Inspections When to Audit the compliance program 2

3 Revised Federal Sentencing Guidelines 8B2.1(a)(1) sets forth the existing requirement that an organization exercise due diligence to prevent and detect criminal conduct, but adds the requirement that an organization otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. 8B2.1(b)(5) mandates that organizations use auditing and monitoring systems designed to detect criminal conduct (and, implied from 8b2.1(a)(1), unethical conduct and non compliance with the law) 3

4 Risk Management Sequence Process controls by work unit staff Quality Controls by Line Management Monitoring by the Responsible Party Inspection by the Compliance Office Auditing by the Internal Audit Department 4

5 Auditing and Monitoring Auditing Those actions taken by objective parties who are independent of operations to validate information reported to stakeholders about the design and operation of the compliance program Monitoring (including Inspections) Those actions taken by management to ensure that compliance risks are being managed as intended 5

6 Auditing Activities (1/2) Internal Audit assurance engagements Express an opinion on compliance program design Express an opinion on validity of operational dat External (Stakeholder) assurance engagements Federal/State auditors Lender/Donor auditors Supplier/Customer auditors 6

7 Auditing Activities (2/2) Peer Review Validate compliance program design & operation Validate Specific Risk Management design and operation Credentialing & Accrediting activities Accreditation Organizations (Hospitals, Higher Education) Credentialing (ISO, Baldwin) 7

8 Internal Audit Activities Agreed upon procedures Performance of specific set of procedures established by the compliance office and contracted to IA for completion because of lack of compliance office resources or expertise Audits Performance of procedures chosen by IA to provide assurance to a third party of either The adequacy of design of the compliance program, or The validity of information generated by the compliance program on the management of risks 8

9 Monitoring Activities Monitoring by the Responsible Party Verifying the execution of supervisory and oversight controls on a continuous basis May be performed by a work unit employee as a delegate of the Responsible Party May be contracted (assigned) to another work unit Inspections by the Compliance Office (CO) Verification by CO staff or designee of information reported by the Responsible Party to the compliance office, or other pertinent data on compliance program operations 9

10 Development of a Monitoring Plan Mary Cook Director of Contracts and Institutional Compliance University of Houston Downtown 10

11 Compliance Office Inspections of Risk Management Process Define a procedure for deciding what information will be verified: potential criteria most compelling evidence most efficient to obtain Define the documentation that will be created Performed by Procedure used Evidence obtained Conclusion and recommendations 11

12 Risk based audit plan Normal scheduling When to Audit Governance need for information Significance of Risk(s) Compliance Office need for confirmation of design of mitigation strategies and monitoring plans reported information operation of mitigation strategies and monitoring plans Operating management need for assurance on Risk assessment process Mitigation strategies and monitoring plans process 12

13 Resources Effective Compliance Systems: A Practical Guide for Educational Institutions [Crawford, et al] crawfordjd@earthlink.net 13