Auditing Compliance Sideways and Up and Down, Part 1 in a 2-Part Series

February 1, 2017

COMPLIANCE IN HIGHER ED

Compliance is not new to higher education. Some universities have had institutional compliance programs for almost 20 years. It can even be argued that the absence of such a program puts an institution in violation of the U.S. Sentencing Guidelines, often referred to as the Federal Sentencing Guidelines (FSG), with respect to an Effective Compliance and Ethics Program (ECEP) requirements (USSG §8B2.1). Though the ECEP section is only about two pages long, it includes a total of seventeen “shalls.” In legal terms, shall means, “an imperative command; has a duty to or is required to” (http://definitions.uslegal.com/s/shall/).

Auditing compliance sideways means auditing compliance with applicable laws and regulations.

If an institution does not have a compliance program and if there is ever a significant compliance incident, one post-incident recommendation is usually to establish one. Two examples are the Penn State child sexual abuse and Baylor sexual assault football-related scandals. Following each of these scandals, investigators recommended that qualified chief compliance officers be appointed (see Freeh Report and Pepper Hamilton Recommendations).

THE ROLE OF INTERNAL AUDIT

Those familiar with the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) know that an internal audit function is responsible for evaluating the controls of an organization and an aspect of these controls is compliance (see IIA/IPPF 1220. A1, 2120.A1, 2130.A1, and 2210.A2).
But what does it mean to “audit compliance”? This article will look at two different ways to approach the audit of an institutional compliance program—sideways and up and down.

AUDITING COMPLIANCE – SIDEWAYS

For the purpose of this article, auditing compliance sideways means auditing compliance with applicable laws and regulations, and answers the following question:

Can internal audit offer reasonable assurance that the institution is in compliance with _____?

Laws and regulations that fill in this blank could include Americans with Disabilities Act (ADA), Environmental Protection Act (EPA), Family Educational Rights and Privacy Act (FERPA), National Collegiate Athletic Association (NCAA) policies, and many others. If your audit function is not already using it, please refer to the Higher Education Compliance Alliance Compliance Matrix (http://www.higheredcompliance.org/matrix/). The matrix provides a comprehensive list of key federal laws regulations that govern colleges and universities and includes concise statutory summaries.

Auditing compliance with applicable laws and regulations requires that research be done on what is legally required of the institution. In some cases, such as the NCAA, requirements are spelled out in a manual. In others, auditing may need to be based on criteria drawn from the detailed language of the law. An excellent resource might be an audit library. The ACUA Resource Library includes compliance audit programs for such areas as athletics, safety, and export controls. There are also other online libraries that contain compliance audit programs.

AUDITING COMPLIANCE – UP AND DOWN

For the purpose of this article, auditing compliance up and down means evaluating the governance, management, and operational controls that form the control structure of institutional compliance. Auditing compliance up and down answers the following questions:

Can internal audit offer reasonable assurance that:

The institution’s board is providing adequate oversight over organizational compliance?
High-level management has designed and implemented appropriate compliance program controls?
Lower-level management and front-line performance/operational personnel are operating their compliance programs utilizing proper compliance program controls?

As this list implies, an institution has three levels of compliance program controls that map to a typical organizational hierarchy:

Each of these levels is addressed in the FSG ECEP section as follows:

Board:

“The organization’s governing authority shall be knowledgeable…and shall exercise reasonable oversight…”

USSG §8B2.1.(b).(2).(A) (emphasis added)

Management:

“High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program.”

USSG §8B2.1.(b).(2).(B) (emphasis added)

Performance/Operational:

“Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program.”

USSG §8B2.1.(b).(2).(C) (emphasis added)

Each of these three levels can be mapped to the IIA’s The Three Lines of Defense Model:

This model further demonstrates that compliance involves all three levels of an organization.

These three levels also map to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) cube:

Auditing compliance up and down means evaluating the governance, management, and operational controls that form the control structure of institutional compliance.

LEVELS AND INTERNAL CONTROL STEPS

The levels are pretty straightforward. But what are the internal control steps we need to take? The answer can be extracted from the seven elements of the FSG ECEP requirements.

THE SEVEN ELEMENTS

While, as mentioned above, there are seventeen “shalls” in the FSG ECEP section, the Society of Corporate Compliance and Ethics (SCCE) has summarized these shalls into the seven elements of an ECEP (https://oig.hhs.gov/compliance/provider-compliance-training/files/ Compliance101tips508.pdf). The original seven elements are:

Implementing written policies, procedures and standards of conduct.
Designating a compliance officer and compliance committee.
Conducting effective training and education.
Developing effective lines of communication.
Conducting internal monitoring and auditing.
Enforcing standards through well-publicized disciplinary guidelines.
Responding promptly to detected offenses and undertaking corrective action.

However, as an experienced auditor and author, I recognized that the seventeen shalls could be summarized in a manner that more resembles internal control categories promoted by COSO. In addition, I recognized that two key internal controls were missing. Thus, in my book Compliance in One Page, I reorganized the seven elements into eight internal control steps (Note: Step 4 combines elements 3 and 4 from the original seven elements):

Identify Requirements/Assess Risk
Establish/Modify Compliance Organization
Document Standards, Policies, and Procedures
Communicate Standards, Policies, and Procedures
Implement, Promote, and Enforce
Monitor, Audit, and Report
Continuously Improve
Embed in Leadership and Culture

The two additions can be found in steps 1 and 8. In step 1, “Identify Requirements” was added and comes from the principles of accountability. It is next to impossible to be held accountable for anything unless the requirements or expectations are clear. In the case of compliance, the requirements are found in the laws and regulations. Also part of step 1, Assess Risk was added because this is a “shall” that is found in the USSG §8B2.1. (c).

Step 8, Ingrain in Leadership and Culture,” were added because these are both indicated in “shalls” found in USSG §8B2.1. (b).(2).(A), §8B2.1.(a).(2), and §8B2.1.(b).

An additional enhancement to the original seven elements is representing steps 1 – 8 as a process. This is due to the fact it is next to impossible to audit requirements that have not been identified first or to design policy without first designating who is responsible for that policy. At TWU, we adopted the Compliance in One Page (p. 5) process which looks like this:

Compliance Internal Control Principle:

The adoption of the “shalls” from the FSG by governance, management, and ALL major subject- specific compliance programs helps infuse compliance internal controls into the culture and puts everyone on the same page

Compliance Internal Control Objective:

Verify the “shalls” are used as internal controls from top to bottom

CONCLUSION

Part 1 of this series introduced auditors to auditing for compliance (sideways). It also introduced auditors to compliance program controls at all three levels of an organization (up and down). Part 2 of this series will explore in more detail how to audit the up and down controls. The resulting information from these audits will give management a more complete picture of what is happening in the institution’s compliance control structure from top to bottom.

In the meantime, feel free to explore the http://www.twu.edu/general-counsel/compliance/ website for compliance programs, guides, audit programs, surveys, and other ideas.

About the Author

Deena King

Deena King is the Director of Compliance at Texas Woman’s University in Denton, TX. She is a Certified Information Systems Auditor and a Certified Compliance and Ethics Professional. Deena has over 30 years of experience in a variety of organizations, including local, state, and federal government, higher education, non-profit, utility, and for-profit. Her work with the federal government literally took her all over the world. She is the author of the book Compliance in One Page and a member of the Society of Corporate Compliance and Ethics (SCCE). Deena has also served in a variety of capacities with local ISACA and IIA boards.

Articles
Auditing Compliance Sideways and Up and Down, Part 1 in a 2-Part Series
Auditing Compliance Sideways and Up and Down, Part 2 in a 2-Part Series