Developing, Implementing and Auditing an …

1 8/29/20161 Developing, Implementing and Auditing an EffectiveUniversity- wide compliance OfficeEric Groen, Managing DirectorBeth Boyle, AssociateDirectorSeptember 14,2016 Introduction2 Eric Groen Managing DirectorEric Groen is a Managing Director with Protiviti, based in the Phoenix area. He has over 15 years ofexperience in consulting and audit, including both internal and external audit experience. Eric s experienceextends across a number of industries, however, he spends the majority of his time focusing on highereducation and more specifically compliance and governance a degree in Accounting and Finance from Creighton university , is a Certified Public Accountant,a Certified Internal Auditor, and a Certified compliance and Ethics Boyle Associate DirectorBeth is an Associate Director in the DC and NY regions. Beth has over 17 years of experience in internal andexternal audit, business consulting and related services. She delivers Internal Audit and SOX services to avariety of clients, primarily in the higher education, government contracting and professional a Certified Public Accountant (CPA) and a Certified Internal Auditor (CIA) and holds a degree inAccounting from Boston College and a from St.

2 Mary s College of s Areas of FocusIdentify key benefits of a proactive compliance these key benefits by learning the keyattributes, practices and components of an effectiveCompliance the key attributes, practices, and components to develop an auditplan to evaluate the compliance program at your a ProactiveComplianceProgram8/29/20163 You are Not the First, and You are Not Alone5 According to6 According to a 2013 Bi-Partisan Senate Task Force, in their document entitled Recalibrating Regulation at College and Universities , they quote the AmericanAction Forum calculation that Institutions spend million hours annuallycompleting Dept. of Education mandated Benefits7 Frameworks can bring consistency and oversight of key compliance chief compliance officer and institution- wide compliance committee can provideleadership and enhance decision making and Reporting LinesA robust risk assessment process can identify and prioritize compliance training programs are one of the key factors in thesuccess of a compliance TrainingMonitoring to detect non- compliance and self-reporting can limit prosecution,fines, and reputational damage.

3 The government has made it clear that companies who take compliance seriously and are committed tofinding, fixing, and solving legal and regulatory problems are in a far better position than those who do notinvest in real, robust, and effective compliance programs. I can think of no better proof of the value ofstrong compliance and ethics programs than the DOJ s and SEC s recent actions. SCCE Chief ExecutiveOfficer Roy SnellComplianceMonitoringIIA Position Paper:The Three Lines of Defense in effective Risk Management and Control(January 2013) .. compliance function to monitor variousspecific risks such as noncompliance withapplicable laws and regulations. In thiscapacity, the separate function reportsdirectly tosenior management, and in somebusiness sectors, directly tothe governingbody. Multiple compliance functions oftenexist ina single organization, withresponsibility for specifictypes ofcompliance monitoring, such as health andsafety, supplychain, environmental, or qualitymonitoring.

4 IIAC ompliance Program88/29/20165 KeyAttributes,PracticesandComponentsof anEffectiveComplianceProgramOversight & AccountabilityDocumentation & ReportingOngoing ImprovementFederal SentencingGuidelines10 Assessmentsand ContinuousImprovement Standards,Policies and Procedures Assignment of ResponsibilitiesDue Diligence and Delegation of AuthorityMonitoring, Auditing and Assessing the ProgramResponse to Criminal Conduct or Non- compliance Incentives and Disciplinary ActionsCommunication, Awareness and Training8/29/20166 ComplianceProgramResponse toConsumerComplianceAuditBoardOversightC onsumer Financial Protection Bureau (CFPB)11 Elements of a compliance Management System (CMS) Establishes its compliance responsibilities; Communicates those responsibilities to employees; Ensures that responsibilities for meeting legalrequirements and internal policies are incorporated intobusiness processes; Reviews operations to ensure responsibilities are carriedout and legal requirements are met; Takes corrective action, and Updates tools, systems, and materials, as s compliance Framework (PCF)Protiviti sCompliance Framework Incorporates the key components of effective regulatorycompliance programs from a regulatory perspective Integrates the principles of effectiveness, efficiency,comparability, communication, and reporting Identifies and defines specific risks associated with eachstage of the PCF Provides a roadmap to evaluate the effectiveness of thecompliance programs128/29/20167 CUSTOMIZED ComplianceFramework13 Assign Responsibility and Accountability14 compliance Program ElementThe Board of Trustees and Senior Management should designate a knowledgeable compliance officer to administer the complianceprogram.

5 Theboard and senior management must grant the compliance officer sufficient authority and independence to cross departmental lines,access to all areasof the company, and effect corrective action when Designation by Board of a qualified compliance OfficerReporting Lines for compliance Officer and DepartmentEstablishing compliance Department with Documented ResponsibilitiesEstablishment of a strategic, enterprise- wide management compliance CommitteePeriodic Evaluation of compliance ResourcesOperational responsibilities of compliance personnel are limited and appropriate segregation of dutiesexistsLeading Practices8/29/20168 compliance office -EXAMPLED irector, EmergencyManagementDirector, Disability ServicesChief of PoliceDirector EnvironmentalHealth and SafetyCEO/PresidentBoard ofDirectorsCompliance OfficePrimary Responsibilities: Administer Code of Conductand other organizationalpolicies,including a policy on policies. Operate currently existing Anonymous Reporting Lineincluding investigations, as necessary.

6 Provide independent /objective compliancemonitoringfunction Administer Conflicts of Interest (and compliance )CommitteeDirector Equity andInclusion (and Title 9)Director of RiskManagementChief InformationSecurityOfficerDirector,Resea rchComplianceComplianceOfficer,Athletics ComplianceOfficer, Environmental Health& SafetyComplianceOfficer,Financial AidComplianceOfficer,Health and Wellness15 Future compliance Organization Structure:Leadership Option 1 Chief compliance Officer ModelComplianceLeader(Chief compliance Officer)Audit (andCompliance)CommitteeInternalAuditGen eral CounselCEO/PresidentChief OperatingOfficer16 Current employee not identifiedReporting Lines: Dual reporting to Audit (and compliance ) Committee and the President. Direct reporting line to Audit (and compliance ) Committee, 'dotted line' (indirect oradministrative) reporting to the President. Personnel with responsibilities around compliance will establish a 'dotted line' (indirect) reporting relationship to the compliance Leader.

7 compliance Leader could be allocated at least one full-time employee to support compliance at a university level. Dotted line (Indirect) reporting relationship with General Counsel to establish and maintain Attorney Client Privilege, as necessary. Internal Audit has an oversight role and is responsible for independently validating the operating effectiveness of the compliance compliance Organization Structure:Option 2 Director of compliance Model17 Current employee not identifiedReporting Lines: Dual reporting to Audit (and compliance ) Committee and the Chief Operating Officer. Direct reporting line to the Chief OperatingOfficer, 'dotted line' (indirect oradministrative) reporting to the Audit (and compliance ) Committee, as required. Personnel with responsibilities around compliance will establish a 'dotted line' (indirect) reporting relationship to the compliance Leader. compliance Leader could be allocated at least one full-time employee to support compliance at an enterprise level.

8 Dotted line (Indirect) reporting relationship with General Counsel to establish and maintain Attorney Client Privilege, as necessary. Internal Audit has an oversight role and is responsible for independently validating the operating effectiveness of the compliance (Director of compliance )Audit (and compliance )CommitteeGeneralCounselChief OperatingOfficerInternal AuditOffice of UniversityIntegrity18 PresidentBoard of TrusteesAudit and ComplianceCommitteeEnvironmentalHealth& SafetySeniorIntegrityOfficerAthleticsSen iorIntegrityOfficerMedicalCenterSeniorIn tegrityOfficerEnrollmentChiefInformation SecurityOfficerManager ofIntegrityControlAssessmentADAC oordinatorOffice of university IntegritySVP Business & FinanceSVP Legal AffairsManager ofUniversityPolicyManager ofIntegrityTrainingSeniorIntegrityOffice rAccreditationSeniorIntegrityOfficerRese archSeniorIntegrityOfficer HumanResourcesPrimary Responsibilities: Administer university Code of Conduct to be created Operate currently existing Anonymous Reporting Lineand independent Tier 2 monitoring function Oversee the revised university Policy ProcessNew Position8/29/201610 Inventory Business Activities19 compliance Program ElementCompliance and Legal personnel should be informed as to the company's business activities including new program development of compliance personnel in various institution- wide committeesActive Participation of compliance Personnel in Change Management ProcessEstablishing Policies and Procedures related to New ProgramsNew Business Activities to involve review and feedback from compliance PersonnelLeading PracticesInventory Legal and Regulatory Requirements20 compliance Program ElementCompliance personnel should identify and document the applicability of legal and regulatory requirements to both new and existing and Maintaining Inventory of applicable legal and regulatory

9 RequirementsGood place to start: Higher Education regulatory updatesLeading PracticesMonitoring through Multiple Sources the new laws and regulations; Online subscription to updatesfrom relevant regulators, various industries Risk21 compliance Program ElementThe company should periodically assess the risk of non- compliance with regulatory compliance requirements and the risk of criminal conduct comprehensive enterprise- wide compliance risk assessments periodicallyDriving compliance Program through Risk Assessment ResultsIdentified gaps are tracked and monitored centrally ( , issues log) and assigned to appropriate processowners for prompt resolution and accountabilityLeading PracticesDefine Policy22 compliance Program ElementThe institution should establish a formal, written compliance program administered by a designated chief compliance written programshould also represent an essential source document that will serve as a training and reference tool for all Written compliance Program and Periodically Reviewing itEstablishing Formal Policy FrameworkPeriodically updating Written compliance Program for changes to Legal and Regulatory RequirementsAccessibility of Written Policies to EmployeesLeading Practices8/29/201612 Establish Procedures23 compliance Program ElementCompliance procedures should be detailed in written form and updated as the Institution s environment changes.

10 Appropriateprocedures should bedeveloped to accomplish goals and objectives, as set forth by the company s policies. Policies and procedures should also provide personnel withsufficient information needed to perform a business transaction in a manner designed to prevent violations and to detect or prevent associated risks ofharm among process owners and compliance in developing formal, written compliance -relatedproceduresEstablishing Formal Procedure FrameworkAccessibility of Written Procedures to EmployeesCompliance-related procedures complement and do not contradict established policies and otherproceduresKey process owners and business managers review and approve compliance -related procedures on anannual basisLeading PracticesProvide Training24 compliance Program ElementAll employees including the Board of Trustees should receive relevant training that covers applicable regulations, laws, andinternal policies Needs Periodically ReviewedDeveloping compliance Training in accordance with Risk Assessment ResultsCustomizing Training ContentTracking Employee Comprehension and completionCompletion of compliance Training by the existing and new employeesPeriodic compliance training is provided to the BoardLeading Practices8/29/201613 Monitor Compliance25 compliance Program ElementThe institution must take reasonable steps to ensure that compliance and ethics programs are followed, including monitoring to detect non- compliance , and periodically evaluating the effectiveness of such Comprehensive compliance Monitoring and Testing ScheduleImplementing Formal.