Auditing Compliance Sideways and Up and Down, Part 2 in a 2-Part Series

June 1, 2017


Editor’s Note: This is a follow up article to, Auditing Compliance Sideways and Up and Down, Part 1, which was published in the Winter 2017 issue.

First, let’s briefly review the fundamentals from Part 1, which introduced auditors to auditing for compliance (sideways) and to eight compliance program internal control steps derived from the Federal Sentencing Guidelines (FSG) on Effective Compliance Programs( (United States Sentencing Guidelines (USSG)) §8B2.1). These internal control steps can be viewed as a process and should be found in all three levels of an organization—governance, management, and operations (up and down). In most institutions, these translate into:
  • Board Oversight of Compliance
  • An Institutional Compliance Program
  • Subject-Specific Operational Compliance Programs (such as for Equal Employment Opportunity (EEO), Occupational Safety and Health Administration (OSHA), the Family Educational Rights and Privacy Act (FERPA), Americans with Disabilities Act (ADA), the Health Insurance Portability and Accountability Act (HIPAA), and the National Collegiate Athletic Association (NCAA), etc.)
The resulting information from sideways audits of compliance with laws and regulations  and from these up and down audits will give management a more complete picture of what is happening in the institution’s compliance control structure across the organization and from top to bottom.

Part 1 also pointed out how the eight internal control steps and the three levels are in harmony with both the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework Principles and The Institute of Internal Auditors Three Lines of Defense model.

Part 2 now explores in more detail how to audit “up and down” for the eight internal control steps, or control activities. The resulting information from sideways audits of compliance with laws and regulations and from these up and down audits will give management a more complete picture of what is happening in the institution’s compliance control structure across the organization and from top to bottom.

TESTING INTERNAL CONTROL STEPS AS CONTROL ACTIVITIES

First, let’s review the first part of the COSO definition of control activities, which equate to the internal control steps cited in Part 1:
 
Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity (Internal Control – Integrated Framework Executive Summary, COSO, May 2013).

Two words in this definition are important to auditors: established and actions. Specifically, control activities need to be “established through policies and procedures.” This strongly implies that control activities should be designed, that is, written down, diagramed, etc. Secondly, control activities are “actions.” This strongly implies that you do not just design, write down, or diagram a control activity; you also need to “do it.” No control activity can be effective if it is not implemented. Therefore, when evaluating compliance, auditors can help institution leaders most by testing for both compliance program design and implementation.

Why Designed and Implemented?

A few years ago, I did contract work for KPMG. There I learned of a control testing technique KPMG used in compliance testing that had two parts: “Test of Design” and “Test of Execution”—regularly referred to as TODs and TOEs.
What KPMG tested for was that 1) the compliance program and control activities were designed and documented and 2) the compliance program and control activities were executed as designed. This same principle is described in a compliance document written by the Federal Energy Regulatory Commission (FERC), a principle that can transfer to higher education:
It is not enough to create a good compliance program on paper; the company must carry through to implement the program with effective accountability for compliance.
  • Para 16, FERC Compliance with Statutes, Regulations, and Orders (emphasis added)
  • This principle is also a “shall” in the FSG:
    • [The organization’s] compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.
    • USSG §8B2.1.a.2 (emphasis added)

Control Activity Audit Objectives

From this guidance, auditors can derive two separate audit objectives:
  1. Verify a compliance control activity is designed AND
  2. Verify a compliance control activity has been implemented.

PUTTING IT ALL TOGETHER

So far we have covered:
  • The eight internal control steps or control activities to look for,
  • The three levels of “up and down” compliance—board, management, and operational, and
  • The requirement that these control activities be both designed and implemented.

 

How to audit all of this will be discussed in detail below starting with board oversight, followed by institutional compliance management, and concluding with operational subject-specific compliance.

AUDITING BOARD COMPLIANCE OVERSIGHT

Design

There is one primary control activity that should be designed as part of board oversight—does the board have a standard set of questions or guidelines about the eight control activities that it asks management? One way to test for this control is to ask for a copy of the questions and/or guidelines.

Implementation

As mentioned above, the board can know it should ask questions about institutional compliance activities and even add these discussions as agenda items. But, in order for this control activity to be effective, the board must actually ask those questions and take appropriate actions based on the answers. One way to test this is to request copies of board minutes or minutes for the board committee that oversees the compliance function.

Resources on Auditing Board Compliance Oversight

Two excellent resources on auditing board compliance oversight can be found here:

  • Association of Governing Boards of Universities and Colleges Magazine
    • Welcome to Compliance U: The Board’s Role in the Regulatory Era
http://agb.org/trusteeship/2013/7/welcome-compliance-u-boards-role-regulatory-era
  • The Society of Corporate Compliance and Ethics (SCCE) Regional Conference, Dallas, December 2015
    • Training and Responsibilities, Marjorie Doyle, Certified Compliance and Ethics Professional Fellow(CCEP-F)
      • Training the Board on ethics and compliance program responsibilities

AUDITING INSTITUTIONAL COMPLIANCE MANAGEMENT

Design

At a high level, an institutional compliance program is designed when a college or university compliance program is documented and this documentation addresses the eight internal control steps or control activities that are to be taken or conducted. Program documentation should answer “how” questions. For example: How, as an institution, are we

  1. Identifying requirements and assessing compliance risk?
  2. Going to establish/modify a compliance organization?
  3. Documenting compliance-related standards, policies, and procedures?
  4. Communicating and training on compliance-related standards, policies, and procedures?
  5. Implementing, promoting, and enforcing compliance-related standards, policies, and procedures?
  6. Monitoring, auditing, and reporting compliance information internally and externally?
  7. Ensuring our compliance program continuously improves?
  8. Getting the support of senior leaders and establishing a culture of compliance?

These processes could be documented in a single compliance program or separately in a document series.

Implementation

Ensuring the eight internal control steps are operating as intended—that is, testing for their effective implementation—means obtaining documentation showing that all the steps or control activities are actually being employed. For example, auditors need to verify that requirements were identified and that the institution has created a compliance inventory or something similar. Auditors must also verify that compliance risk was assessed, that this assessment produced a risk report, and so on.

Resources on Auditing Institutional Compliance Management

An audit program for auditing design and implementation can be found on the www.twu.edu/compliance website. Look in “Compliance Forms and Documents” for the “Basic Compliance Audit Program.”

AUDITING SUBJECT-SPECIFIC COMPLIANCE PROGRAMS

Design

Auditing the design of a subject-specific compliance program, such as for EEO, OSHA, FERPA, ADA, HIPAA, or the NCAA, should be similar to the process for auditing institutional compliance management because subject-specific compliance programs should answer the same questions. An example of an EEO compliance program design for activities 1-3 might include these questions:
  1. What process does the EEO compliance manager use to learn about and stay up-to-date on EEO requirements? How do they assess EEO risk?
  2. Have adequate FTEs been allocated for EEO compliance? Have EEO compliance roles and responsibilities been documented?
  3. What is the process for designing and updating EEO standards, policies, and procedures? Is this process documented?

As with institutional compliance, these processes could be documented in a single compliance program or separately in a document series.

Implementation

Ensuring the eight internal control steps or control activities are operating as intended—that is, testing for implementation— means obtaining documentation and validating. For example, for EEO compliance program implementation, tests for activities 1-3 might include these questions:

  1. Have all EEO legal/regulatory requirements been identified? Can the department provide a list? Have EEO risks been assessed? If yes, is there a risk report?
  2. Has someone actually been assigned responsibility for EEO compliance? Is this position filled?
  3. Does each EEO requirement have documented compliance-related standards, policies, and procedures? Can copies be provided?

Resources on Auditing Subject-Specific Compliance Programs

The audit program mentioned above could easily be adapted for use in a subject-specific compliance audit. The list of documents you would review to test for subject-specific design and implementation are very similar to the list at the institutional level. The primary difference is that these documents would be focused on a specific program, such as EEO, rather than the entire institution.

CONCLUSION

When auditors audit for compliance (sideways—discussed in Part 1) and look at compliance controls activities at the board, management, and operational levels (up and down), the board and management get a more complete picture of the health of institutional compliance. Also, auditing of subject-specific compliance is enhanced.

Therefore, when auditing for compliance, it is highly recommended that an auditor do so both sideways and up and down. Why? Because, generally, when an institution is “out of compliance” in a specific area, the root cause can often be traced to a control activity that is missing or not functioning. For example, training did not exist (internal control step/control activity 4) or a procedure was missing (internal control step/control activity 3).

Looking at compliance in all directions also helps keep an institution in compliance with the FSG Effective Compliance and Ethics Program requirements. Most importantly, testing these controls mitigates risk in a way that helps ensure an institution meets a key goal, which is to operate “in compliance” with relevant regulations.
 

About the Author

Deena King

Deena King is the Director of Compliance at Texas Woman’s University in Denton, TX.  She is a Certified Information Systems Auditor and a  Certified Compliance and Ethics Professional. Deena has over 30 years of experience in a...
Read Full Author Bio

Deena King

Deena King is the Director of Compliance at Texas Woman’s University in Denton, TX.  She is a Certified Information Systems Auditor and a  Certified Compliance and Ethics Professional. Deena has over 30 years of experience in a variety of organizations, including local, state, and federal government, higher education, non-profit, utility, and for-profit.  Her work with the federal government literally took her all over the world.   She is the author of the book Compliance in One Page and a member of the Society of Corporate Compliance and Ethics (SCCE). Deena has also served in a variety  of  capacities with local ISACA and IIA boards.

Articles
Auditing Compliance Sideways and Up and Down, Part 1 in a 2-Part Series
Auditing Compliance Sideways and Up and Down, Part 2 in a 2-Part Series