compliance program effectiveness...“tone at the top” –and all the way through the university...
TRANSCRIPT
5/22/2014
1
CONFIDENTIAL1
Compliance Program Effectiveness:Measuring (and Communicating) Benchmarking,
Data, and Effectiveness
Gates Garrity-Rokous, OSU
Anna Drummond, UVM
Higher Education Conference
April 16, 2014
2
Overview
1. Introduction: Why measure?
2. What to measure? (Key Concepts)
3. Compliance Program
4. Integrity Culture
5. Issue Response
5/22/2014
2
CONFIDENTIAL3
Questions on Integrity
(Pick one)
1. I’m good [no questions]
2. I’ve got too many questions
3. Ask me about [name of situation]
4. How would you handle a situation where…… [describe
situation]
CONFIDENTIAL4
Stanley Milgram study (1961)
� Experimenter (E) directs Teacher (T) to give Learner (L) shocks for every wrong answer
� Machine scaled from 15 to 450 volts
� “Learner” was an actor who feigned heart problems and unconsciousness
5/22/2014
3
CONFIDENTIAL5
CONFIDENTIAL6
5/22/2014
4
CONFIDENTIAL7
CONFIDENTIAL8
1. I’m good [no questions]: 22 (27%)
• This response could indicate complacency (need to motivate)
• Lack of engagement in topic?
• Lack of practical experience?
2. I’ve got too many questions: 0 (none)
• This response could indicate confusion (need to educate)
3. Ask me about: [name for situation]: 5 (6%)
• This response indicates comfort discussing ethical issues publicly
• If low: is class culture sufficiently comfortable/supportive? (need to
reinforce or build trust)
4. How would you handle a situation where…… [describe situation]: 55 (67%)
• Boss or Company integrity: 21 (26%)
• OSU integrity: 17 (21%)
• Co-worker or fellow student integrity: 5 (6%)
• General ethics: 12 (15%)N=82
Questions on Integrity: Prior Results
5/22/2014
5
CONFIDENTIAL9
Measuring Integrity: Key Points
1. Integrity culture can be measured. Measuring something signals its importance!
2.What to measure: concern reporting (best predictor of integrity culture)
3.Look for positive deviants
“Better is possible. It does not take genius. It takes diligence. It takes
moral clarity. It takes ingenuity. And above all, it takes a willingness
to try.” Atul Gawande
10
Overview
1. Introduction: Why measure?
2. What to measure? (Key Concepts)
3. Compliance Program
4. Integrity Culture
5. Issue Response
5/22/2014
6
CONFIDENTIAL11
Key Concepts
11
Culture of Integrity and Ethics
� “Tone at the top” – and all the way through the university
� Leaders are responsible for building and maintaining culture
� Compliance assists leaders in defining, measuring and improving culture
Compliance Requires Leadership Engagement
� Compliance risk management requires a “programmatic” response
� Leaders are responsible for risks – and therefore own the Compliance program
� Compliance assists leaders in defining and driving program
Measuring Both Culture and Program Ensures Effectiveness
� Simplicity: what to do
� Accountability: who does it – and when
� Control: risk-based approach enables university to demonstrate organizational
control to regulators
CONFIDENTIAL12
Key Methods
Risk Based� Build quantitative and qualitative assessment to measure relative risk of
compliance requirements
� Reporting, elevation, and mitigation activities governed by risk based
approach
Process Based
� Clarify roles and responsibilities
� Establish repeatable processes
� Measure change
Mission Driven
� Role of compliance is to support institutional objectives:
� Teaching and learning
� Research and innovation
� Outreach and engagement
� Resource stewardship and simplification
� Integrity and ethics
5/22/2014
7
CONFIDENTIAL13
• Among most extensively regulated industries in the
United States
• Hundreds of applicable laws and regulations;
hundreds of regulators
• Many applicable laws tied to the receipt of federal
funds (e.g., Title IX, Clery Act, Human Research, etc.)
• Many other laws of general application (e.g., Export
Controls, ADA, False Claims Act, etc.)
• Increasing regulatory demands and expectations
• New federal and state laws
• Growing complexity of requirements
• More aggressive enforcement initiatives
• Increasing regulatory burden leading to increase in
university costs
Regulation of Higher Education
CONFIDENTIAL14
Board Expectations
University boards expect:
� University compliance with applicable laws and regulations
� Senior management commitment to promote an ethical
organizational culture
� Clear and consistent updates on program effectiveness and key
milestones
� A consistent approach to risk management that safeguards the
university against key legal and regulatory risks
� An effective governance structure that ensures proper
reporting and elevation of key issues, which supports oversight
and leadership accountability
� Quick and objective resolution of all matters requiring internal
investigation
� Effective management of relationships with external regulators
5/22/2014
8
CONFIDENTIAL15
Expectation for Institutional Control
1st Line of Defense
Business & function
leaders; Legal
• Risk ownership &
management
• Initial identification,
assessment, and
control of risk
2nd Line of Defense 3rd Line of Defense
Ex
tern
al A
ud
itors
Re
gu
lato
rs
Organizational Leadership
Board of Directors
Compliance
• Assess, monitor &
report specific areas
(e.g., core business
regulations, ethics)
• Regular testing
Internal Audit
• Financial reporting,
operational
effectiveness, etc.
• Periodic testing
Source: Institute of Internal Auditors Position Paper, January 2013
Co
nce
rn R
ep
ortin
g
CONFIDENTIAL16
6. Leadership
Engagement
Planning
Regulatory
inventory
Risk
Assessment
1. Risk Assessment & Abatement
Testing Monitoring
4. Evaluation
Policies Training
2. Communication
Governance
Reporting
Testing,
Monitoring &
Audit Results
Investigations &
Regulatory
Contacts
5. Issue Response & Reporting
Legal & regulatory
requirements
Compliance model
3. Operational controls
5/22/2014
9
17
Overview
1. Introduction: Why measure?
2. What to measure? (Key Concepts)
3. Compliance Program
4. Integrity Culture
5. Issue Response
CONFIDENTIAL18
Program Development and Assessment
Assessment Methodology
Core ProcessesOverview
Board Oversight and Plan • Set baseline for core processes
Strategic Plan • Establishes 5-year program objectives
Annual Plan• Establishes 1-year program objectives
• Scorecard tracks implementation
5/22/2014
10
CONFIDENTIAL19
Leadership Engagement
Training
Regulatory Inventory
Testing & Monitoring Issue Response Remediation
Risk Assessment & Planning Policies
• Governance
• Integrity
• Leadership expectations
• A governance process ensuring
ongoing ownership and reporting,
which links units, the university,
and the Board
• University leaders take
responsibility for ensuring integrity
in colleges and units
• University leaders understand their
legal and policy obligations, and
take responsibility for owning their
compliance risks
Program Development: Desired End-State
Elements
Optimized
State
Elements
Optimized
State
• Identification of subject matter
experts for all material
requirements
• Identification of all material legal
and regulatory requirements
• Formalized process for identifying
new requirements due to
regulatory or operational changes
• Standardized risk assessment of
material university requirements
• Developed compliance plans to
ensure ownership and proactive
mitigation planning for all top risks
• Risk assessment and compliance
plans updated annually to reflect
change and the effectiveness of
prior planning efforts
• Subject matter experts
• Material requirements
• Early warning of change
• Risk assessment
• Compliance planning
• Updating
• Capture legal requirements
• Communication
• Approval and inventory
• Delivery and governance
• Tracking
• Standards
• Plan
• Appropriate response
• Reporting
• Corrective actions
• Reporting
• Policies exist around all key
requirements, and policies
accurately reflect requirements
• Policy requirements clearly and
effectively communicated to all
relevant personnel
• Streamlined structure to review,
approve, and update policies
• Inventory of all policies
• Training delivery system and
governance process to ensure
training content reflects
requirements, training is delivered
to appropriate personnel, training is
effective, and training load is
streamlined
• Process for tracking assignment and
completion of all training
• Testing and monitoring standards
to measure effectiveness of
controls in meeting requirements
• Plan for comprehensive, risk-based
testing and monitoring to ensure
prioritized testing of controls
around requirements
• Processes to ensure appropriate
response to compliance issues
(internal and external) to enable
accurate, timely, and fair
resolutions
• Channels to ensure reporting for
the Board and senior leaders on
compliance issues to support
accountability and necessary
corrective actions
• Standardized corrective action
reports
• Tracking and reporting on
implementation and effectiveness
of corrective actions
CONFIDENTIAL20
Initial
Repeatable
Defined
Managed
Optimized
Program Development: Current Status
• Established
university risk and
compliance
committee
• Confirmed owners
for top compliance
risks
• Identified key legal
and regulatory
requirements
• Conducted
Compliance Risk
Assessment
• Created Strategic
Plan, Annual
Compliance Plan,
and key unit plans
Current
Next
Steps
= Original Assessment = Current Status
• Improved policies
and procedures on
critical risks (e.g.,
HIPAA)
• Developed “one
university”
approach to
required training
• Improved testing
on critical risks
(e.g., animal
research)
• Initiated corrective
action reports and
tracking
• Developed public
records and internal
audit tracking
processes
• Assessed
investigation
processes; conducting
investigations
• Improve unit-level
compliance
governance
• Survey integrity
culture
• Ensure “early
warning” of new
requirements
• Update compliance
plans based on
changes to risk
profile
• Hire Policy and
Training Director
• Transition policy
approval process to
Compliance
• Develop policy
inventory; simplify
policy structure
• Hire Policy and
Training Director
• Obtain learning
management
system
• Develop training
governance
• Hire Testing and
Monitoring Director
• Develop testing and
monitoring
standards
• Link remediation
tracking and
reporting to
compliance
committees
• Implement
comprehensive
investigations
tracking and
reporting system
• Design process for
regulatory contacts
Leadership Engagement
Regulatory Inventory
Risk Assessment & Planning
Policies TrainingTesting &
MonitoringIssue
ResponseRemediation
*Methodology in appendix on pages 15-16
5/22/2014
11
CONFIDENTIAL21
Risk Assessment & Abatement:
Overview
Objectives
� Demonstrate capability to proactively identify, assess, and mitigate risk
� Support existing strategic and budget planning processes
� Foundation for compliance program that best meets regulatory objectives
Challenges
� Changing higher education environment (e.g., student debt crisis, distance
learning)
� Distributed ownership, unclear governance
� Inconsistent planning and goal accountability (execution risk)
� Complexity
Key principles
� Simplicity and transparency
� Inclusion
� Utility
CONFIDENTIAL22
Regulatory Inventory: Basis for Assessment
Category
Law, Regulation, or
Third-party
Accreditation
(name)
Regulator(s)
Impact
Score
(J)
Likelihood
Score
(K)
Inherent Risk
Rating
(Risk w/o
mitigation)
(J x K = L)
Control
Assessment
Score
(M)
Control
Trend*
Residual Risk
Rating
(Risk after
mitigation)
(M x L)
Reporter Comments
Ethics LawsState purchasing
lawscourts 0 0
Disclosure
Laws
Jeanne Clery
Disclosure of Campus
Security Policy and
Campus Crime
Statistics Act/ Higher
Education
Opportunity Act
("Clery Act")
U.S.
Department of
Education
Anti-
Discriminatio
n Laws
Americans with
Disabilities Act of
1990 as amended by
the ADA
Amendments Act of
2008
Department of
Education
Office for Civil
Rights
0 0
Anti-
Discriminatio
n Laws
Ohio's Fair
Employment
Practices Law
Ohio Civil
Rights
Commission/
U.S. Equal
Employment
Opportunity
Commission
0
Labor and
Employment
Ohio Whistleblower
Statute
Court of
Common Pleas
5/22/2014
12
CONFIDENTIAL23
Inherent Risk Assessment[Severity of risk without mitigation]
2
3
Key Points:� Assess Impact based on highest
rated category
� Assess likelihood without existing
controls or plan
� Inherent risk score = Impact x
Likelihood
CONFIDENTIAL24
Control Assessment[Effectiveness of efforts to mitigate identified risks]
2
4
Key Points:� For opportunity (future) risks, assess
planning (not controls)
� Capture evaluation of controls,
including trending, in Comments
5/22/2014
13
CONFIDENTIAL25
Output: Compliance Risks
1
62
7
3
8
4
9
5
10
111213
14
16
17
18
19
20
15
Strong Weak
Low
High
CONFIDENTIAL26
Risk Assessment and Planning: Summary
• Identified key risks across all risk
categories
• Identified key regulatory requirements
across all risk categories (Compliance)
• Determined inherent and residual
ratings for each requirement and each
risk category
• Ranked risks according to residual
rating
Consistent Assessment Process Risk Mitigation and Planning
Inherent Risk (severity of risk without mitigation)� Impact: degree of financial, reputational, and/or
regulatory harm caused
� Likelihood: probability of occurrence
� Impact Score x Likelihood Score = Inherent Risk
� Note: compliance risks based on regulatory requirements
Residual Risk� Control Assessment: measured current mitigation
� Inherent Risk x Control Assessment = Residual Risk
� Identified cross-University risks
� Conducted unit-specific assessments in key
units (Medical Center, Office of Research,
Environmental Health & Safety, Athletics)
5/22/2014
14
CONFIDENTIAL27
Annual Plan Components
27
Framework Risk
Mitigation
Issue
Response
Governance• Board reporting (Audit &
Compliance Committee)
• University/Department
Compliance Committees
Expertise & resources• Departments: Athletics,
Medical, Research, HR
Enrollment, Accreditation
• Risk Areas: EHS, ADA, Info
Security, Privacy/HIPPA, Title
IX/Clery Act
Ethics and Integrity Culture• Code of Values
• Culture Survey and actions
Key Compliance processes• Compliance Risk Assessment
• Annual Compliance Plan
• Compliance policies
• Training
• Testing & Monitoring
• Reporting
Key University processes• University policy approval
• Conflicts of Interest
Investigations• Standards, corrective actions
tracking and closure, reporting
• Anonymous reports (Ethics
Point)
• Compliance elevations, testing,
& audit issues
Public Records Requests• Tracking and closure, early
warning identification,
reporting
Regulatory contacts and
enforcement• Tracking and closure, early
warning identification,
reporting
Internal Audit• Tracking audit findings
CONFIDENTIAL28
Compliance Planning: Results
Planning: Key Components
1. FY2014 Regulatory Inventory and Compliance Risk
Assessment
2. External Environment
• Specific regulatory expectations
• Key regulatory findings or sanctions
3. Internal Environment
• Internal audit findings
• Regulatory examinations and feedback
• Current strategic initiatives and operational challenges
4. Strategic Plan: 5-year goals in strategic focus areas
• Integrity Culture
• Risk Mitigation
• Issue Response
FY2015 Annual Plan Components
• Integrity culture
• Mitigation of Compliance Risks
• University-wide risks (e.g., Title IX, ADA)
• Unit-level risks (e.g., research compliance, athletics. Note: individual
units
• Improvements to Compliance processes: policy review; training;
testing & monitoring; conflicts of interest
• Issue response: create processes for public records, investigations,
regulatory contacts, and audit findings
5/22/2014
15
CONFIDENTIAL29
Compliance Plan: Individual Risk Planning Template
CONFIDENTIAL30
Compliance Plan: Reporting Template
5/22/2014
16
CONFIDENTIAL31
Interviews or discussions were held with the following individuals and groups:
Individuals
• VP for Finance and Administration
• VP Research and Dean of the Graduate College
• Interim VP Research
• VP for University Relations and Campus Life
• Chief Diversity Officer
• AVP for Sponsored Programs Administration
• Chief Information Officer
• Chief Internal Auditor
• Controller
• Director of AAEO
• Information Security Officer
• Deans Council
• Associate Deans Council
• Academic Business Managers
Workplan Interviews
Tracking of Substance Areas
CONFIDENTIAL32
Compliance Category Description Risk Rating
Impact/Likelihood
H-High/M-Medium
Discrimination Discrimination (AA/EEOC, ADA, Age, VT Fair
Employment practices)
M, M
Discrimination Sexual Harassment, Title IX (increased oversight) M,M
Employment HR Compliance Issues (I-9, Temp Employees,
Background Checks, FMLA, Health Care Reform,
Workers Compensation)
M, H
Employment Employment Compliance (FLSA) M,H
Employment/Student Issues Immigration, Foreign Nationals (Employees and
Students)
M,M
Finance and Business IRS Compliance M, M
Finance and Business Tax Exempt Bond Compliance H,M
Finance and Business Endowment/Gifts Compliance L,L
Privacy Privacy and Records Retention HIPAA, VT
ACT162,GLB, CIPSEA
H,H
Health and Safety Laboratory Safety M,H
Health and Safety OSHA Compliance M,H
Health and Safety VAWA, Clery Act M,H
Research Accounting for sponsored awards (OMB A-81,
subrecipient monitoring)
H,H
Research Conflict of Interest (NIH amendments and increased
oversight)
H,M
Research Research: Scientific Misconduct H,H
Research Human Subjects (IRB operations) H,M
Research Export Controls H,H
Research Intellectual Property M,M
Student Issues Federal Student Aid – (Title IV Eligibility) H,M
Student Issues NCAA M,M
Template for Compliance Assessment
5/22/2014
17
CONFIDENTIAL33
* Shaded areas indicate planned FY2014 work plan activity; specific topics are bolded. A slash indicates work plan activity
was completed in a prior year.
**Ongoing efforts from prior year work plan will be continued.
Compliance Risk Assessment*
CONFIDENTIAL34
Template
Log for Outstanding Recommendations
5/22/2014
18
35
Overview
1. Introduction: Why measure?
2. What to measure? (Key Concepts)
3. Compliance Program
4. Integrity Culture
5. Issue Response
CONFIDENTIAL36
1. Please indicate your awareness, before today, of the University’s Office of
Compliance Services.
2013 Compliance Awareness Survey
5/22/2014
19
CONFIDENTIAL37
1. Please indicate your awareness, before today, of the University’s Office of
Compliance Services. (Continued)
CONFIDENTIAL38
2. Please indicate your awareness, before today, of the University’s Code of
Business Conduct.
5/22/2014
20
CONFIDENTIAL39
2. Please indicate your awareness, before today, of the University’s Code of
Business Conduct. (Continued)
CONFIDENTIAL40
3. Do you know how to confidentially report violations of the Code of Business
Conduct, law, regulation or University policy? ¹
¹The Compliance Office utilizes the most effective tools for creating hotline awareness as reflected in the 2013 Corporate Governance and Compliance Hotline
Benchmarking Report published by The Network, Inc. and including survey results from over 1,100 organizations. These methods include posters, internet/intranet and
brochures.
5/22/2014
21
CONFIDENTIAL41
3. Do you know how to confidentially report violations of the Code of Business
Conduct, law, regulation or University policy? (Continued)
CONFIDENTIAL42
4. Are you confident that you would be protected from retaliation if you
reported a violation?
5/22/2014
22
CONFIDENTIAL43
4. Are you confident that you would be protected from retaliation if you
reported a violation? (Continued)
CONFIDENTIAL44
5. Please indicate your level of agreement with the following statement: The
University of Vermont fosters a “Culture of Compliance”.
5/22/2014
23
CONFIDENTIAL45
5. Please indicate your level of agreement with the following statement: The
University of Vermont fosters a “Culture of Compliance”. (Continued)
CONFIDENTIAL46
6. Have you experienced or observed misconduct (i.e. a violation of the Code of
Business Conduct, law, regulation or University policy) within the last 12
months?
5/22/2014
24
CONFIDENTIAL47
6. Have you experienced or observed misconduct (i.e. a violation of the Code of
Business Conduct, law, regulation or University policy) within the last 12
months? (Continued)
CONFIDENTIAL48
Summary trend charts on awareness and cultural questions
5/22/2014
25
CONFIDENTIAL49
Summary trend charts on awareness and cultural questions
50
Overview
1. Introduction: Why measure?
2. What to measure? (Key Concepts)
3. Compliance Program
4. Integrity Culture
5. Issue Response
5/22/2014
26
CONFIDENTIAL51
Ethics and Compliance
Reporting and Help Line
CONFIDENTIAL52
Ethics and Compliance
Reporting and Help Line
5/22/2014
27
CONFIDENTIAL53
Ethics and Compliance
Reporting and Help Line
CONFIDENTIAL54
Ethics and Compliance
Reporting and Help Line
5/22/2014
28
CONFIDENTIAL55
Ethics and Compliance
Reporting and Help Line
CONFIDENTIAL56
Ethics and Compliance
Reporting and Help Line
5/22/2014
29
CONFIDENTIAL57
Government Reviews
CONFIDENTIAL58
Government Reviews
5/22/2014
30
CONFIDENTIAL59
Consultations by Issue Type and Calendar-Year Quarter
Consults
CONFIDENTIAL60
Template
5/22/2014
31
CONFIDENTIAL61
Privacy Incident Log
Breaches
CONFIDENTIAL62
Communications Related Solely to Compliance Services, Code of Conduct and Help Line
Outreach
5/22/2014
32
CONFIDENTIAL63
Materiality Ratings
Rating TotalDays
Open
5 65 27.7
4 30 15.4
Total 95 23.8
Rating Public Interest Frequency University Interest Litigation Risk
5Major reputational topic;
major public interest
Numerous requesters
making multiple requests
Highly sensitive or involves very
significant/complex legal issues
Significant legal action
imminent
4High risk of miscommunication;
general public interest
Multiple requesters/
same issue(s)
Sensitive, or involves complex
legal issuesLegal action threatened
3Potential for significant publicity;
low risk of miscommunication
Second requester/
same issue(s)
Potentially sensitive, or involves
routine legal issuesPotential for litigation
2Potential for publicity;
no known interest to public
One-time request
including multiple issues
Not sensitive; no legal issues
identified
Request sent via certified
mail or hand delivered
1No potential for publicity;
no known interest to public One-time, unique request
Routine request for clearly public
records
No possibility of legal
action
Data includes requests processed by Public Records Office for calendar year 2013
0
5
10
15
20
25
Aca
de
mic
Aff
air
s
Air
po
rt
Ath
leti
cs
Bo
ard
of
Tru
ste
es
Bu
sin
ess
& F
ina
nce
Co
mm
un
ica
tio
ns
FOD
Fou
nd
ati
on
Go
vern
me
nt
Aff
air
s
Inte
rna
l Au
dit
Inve
stm
en
ts
Leg
al A
ffa
irs
Me
dic
al C
en
ter
PA
RE
Pre
sid
en
t's
Off
ice
Pu
blic
Re
cord
s
Re
sea
rch
Public Records Requests Rated 4 or 5 by Unit
Rating Action Steps Summary
5Key stakeholders advised;
production overseen by OLA
4Appropriate Senior Leaders advised;
production overseen by OLA
3PRO & unit collaborate
on production
2 PRO oversees local production
1 Local production
Action Steps Summary
Public Records
CONFIDENTIAL64Data includes internal audit reports from 5/2013-12/2013
Findings Rated 5 or After 1st Follow Up
Findings Number
Rated 5 1
2nd follow up 13
3rd follow up 1
Top Findings Number
[Issue 1] 93
[Issue 2] 66
[Issue 3] 64
[Issue 4] 58
[Issue 5] 43
Rating Description
5Routinely does not comply or significant noncompliance with policies
and control activities. Immediate improvement is necessary.
4Partially complies with policies and control activities.
Substantial opportunities for improvement exist.
3Partially complies with policies and control activities.
Opportunities for improvement exist.
2Generally complies with polices and control activities.
Minor opportunities for improvement exist.
1 Generally complies with policies and control activities.
Materiality Ratings
Type of Finding Number
[Issue 1] 11
[Issue 2] 1
[Issue 3] 1
[Issue 4] 1
[Issue 5] 1
Unit Number
[College 1] 5
[College 2] 4
[College 3] 3
[College 4] 2
[College 5] 1Findings of All Ratings and Follow Ups
Internal Audit
5/22/2014
33
CONFIDENTIAL65
Data includes University-wide investigations since 1/1/13; includes investigations conducted by Compliance, OHR, Med Ctr HR,
Med Ctr Compliance, Research Compliance, Title IX, Internal Audit, Faculty Misconduct, OCIO, OLA, ADA, OSUPD
Rating Public Interest Subject Position Regulatory
5Major reputational topic; of immediate
interest to the general publicConcerns unit or senior leader Regulatory debarment or shutdown
4Potential for significant publicity;
of interest to the general public
Concerns management
of some seniority
Regulatory probation/ongoing
supervision
3Potential for publicity; could be of
interest to the general publicConcerns staff or faculty Regulatory warning letter or equivalent
2Small potential for publicity; no known
interest to the general publicConcerns staff or faculty
Advisory letter or other indication
of ongoing interest
1No potential for publicity; no known
interest to the general public Concerns staff or faculty No regulatory enforcement interest
Materiality Ratings
Rating Action Steps Summary
5Key stakeholders advised;
Investigation coordinated by OUCI
4Appropriate Senior Leaders advised;
investigation overseen by OUCI
3Management advised; OUCI and Unit
collaborate on investigation
2 Unit oversees investigation
1 Local investigation
Action Steps Summary
Investigations
Unit Number
[College 1] 10
[College 2] 7
[College 3] 4
[College 4] 2
[College 5] 2
[College 6] 2
[College 7] 1
[College 8] 1
[College 9] 1
[College 10] 1
[College 11] 1
[College 12] 0
RatingClosed
InvestigationsFindings Open
5 0 0 0
4 2 1 1
3 7 2 2
2 4 1 2
1 10 4 4
Total 23 8 9
Type of Issue Number
[Issue 1] 7
[Issue 2] 6
[Issue 3] 5
[Issue 4] 4
[Issue 5] 4
CONFIDENTIAL66
Investigations: Tracking
5/22/2014
34
CONFIDENTIAL67
Board
Senior
Leadership
College 1 College 2Unit
(e.g. HR)
Line 1. Operational Owner
Line 2: Compliance
Line 3: Internal Audit
Governance Model
Reporting at Multiple Levels
1. Key updates and issues
2. Status of Compliance Plan
3. Issue Response findings
Regular Reporting
CONFIDENTIAL68
Unit-level Report: Issue Responses*Investigations Internal Audit Public Records Requests
Number of Investigations by Rating
� Summary:
� 51 closed investigations
� 13 with findings
� 18 remain open
� Summary:
� 46 public records requests
� 17 days open on average
� 3 remain open
Type of Issue Number
Human Resources 25
Business 21
Number of PR Requests by Rating
Top Issue Types Number
Discrimination/Harassment/Workplace Violence 6
Whistleblower/Retaliation 5
Patient Rights/Patient Care 4
Sexual Harassment/Prohibited Relationship 5
Drug/Alcohol Usage 4
Inappropriate Use of University Resources 5
Conflict of Interest 3
Area Audited Findings
College of Medicine (4/13) 7
Univ Hospital & Ross Pharmacy (10/13) 6
Univ Hospital & Ross Operating Rooms
(8/13)19
James Nursing (9/13) 16
Univ Hospital Rehab (8/13) 16
Hospital Medical Surgical Nursing (9/13) 13
Univ Hospital Critical Care (8/13) 12
Harding Hospital (8/13) 10
Med Ctr Fin Svcs & Rev Cycle Svcs (10/13) 9
Gahanna Family Practice Clinic (5/13) 6
Med Ctr Procure to Pay Process (5/13) 5
Cardiology Outreach (6/13) 4
Univ Hospital East ER (9/13) 2
*Data as of 12/23/13
� Audit of conflicts of interest process
� As of 12/23, CoM cleared 18 of 21 items;
“no progress” noted regarding finding on
administration
Attorney-Client Privileged
� The 3 PRRs that remain open are rated 1
� The PRRs rated 4 include a copy of the
Conflict of Interest Policy, physician
compensation information, certain
business arrangements information, and
information security incident reports
� Corrective Actions:
� Next steps:
5/22/2014
35
CONFIDENTIAL69
Compliance Program Effectiveness:Measuring (and Communicating) Benchmarking,
Data, and Effectiveness
Gates Garrity-Rokous, OSU: [email protected]
Anna Drummond, UVM: [email protected]
Higher Education Conference
April 16, 2014
Contact Information