compliance program effectiveness...“tone at the top” –and all the way through the university...

5/22/2014

1

CONFIDENTIAL1

Compliance Program Effectiveness:Measuring (and Communicating) Benchmarking,

Data, and Effectiveness

Gates Garrity-Rokous, OSU

Anna Drummond, UVM

Higher Education Conference

April 16, 2014

2

Overview

1. Introduction: Why measure?

2. What to measure? (Key Concepts)

3. Compliance Program

4. Integrity Culture

5. Issue Response

5/22/2014

2

CONFIDENTIAL3

Questions on Integrity

(Pick one)

1. I’m good [no questions]

2. I’ve got too many questions

3. Ask me about [name of situation]

4. How would you handle a situation where…… [describe

situation]

CONFIDENTIAL4

Stanley Milgram study (1961)

� Experimenter (E) directs Teacher (T) to give Learner (L) shocks for every wrong answer

� Machine scaled from 15 to 450 volts

� “Learner” was an actor who feigned heart problems and unconsciousness

5/22/2014

3

CONFIDENTIAL5

CONFIDENTIAL6

5/22/2014

4

CONFIDENTIAL7

CONFIDENTIAL8

1. I’m good [no questions]: 22 (27%)

• This response could indicate complacency (need to motivate)

• Lack of engagement in topic?

• Lack of practical experience?

2. I’ve got too many questions: 0 (none)

• This response could indicate confusion (need to educate)

3. Ask me about: [name for situation]: 5 (6%)

• This response indicates comfort discussing ethical issues publicly

• If low: is class culture sufficiently comfortable/supportive? (need to

reinforce or build trust)

4. How would you handle a situation where…… [describe situation]: 55 (67%)

• Boss or Company integrity: 21 (26%)

• OSU integrity: 17 (21%)

• Co-worker or fellow student integrity: 5 (6%)

• General ethics: 12 (15%)N=82

Questions on Integrity: Prior Results

5/22/2014

5

CONFIDENTIAL9

Measuring Integrity: Key Points

1. Integrity culture can be measured. Measuring something signals its importance!

2.What to measure: concern reporting (best predictor of integrity culture)

3.Look for positive deviants

“Better is possible. It does not take genius. It takes diligence. It takes

moral clarity. It takes ingenuity. And above all, it takes a willingness

to try.” Atul Gawande

10

Overview





5. Issue Response

5/22/2014

6

CONFIDENTIAL11

Key Concepts

11

Culture of Integrity and Ethics

� “Tone at the top” – and all the way through the university

� Leaders are responsible for building and maintaining culture

� Compliance assists leaders in defining, measuring and improving culture

Compliance Requires Leadership Engagement

� Compliance risk management requires a “programmatic” response

� Leaders are responsible for risks – and therefore own the Compliance program

� Compliance assists leaders in defining and driving program

Measuring Both Culture and Program Ensures Effectiveness

� Simplicity: what to do

� Accountability: who does it – and when

� Control: risk-based approach enables university to demonstrate organizational

control to regulators

CONFIDENTIAL12

Key Methods

Risk Based� Build quantitative and qualitative assessment to measure relative risk of

compliance requirements

� Reporting, elevation, and mitigation activities governed by risk based

approach

Process Based

� Clarify roles and responsibilities

� Establish repeatable processes

� Measure change

Mission Driven

� Role of compliance is to support institutional objectives:

� Teaching and learning

� Research and innovation

� Outreach and engagement

� Resource stewardship and simplification

� Integrity and ethics

5/22/2014

7

CONFIDENTIAL13

• Among most extensively regulated industries in the

United States

• Hundreds of applicable laws and regulations;

hundreds of regulators

• Many applicable laws tied to the receipt of federal

funds (e.g., Title IX, Clery Act, Human Research, etc.)

• Many other laws of general application (e.g., Export

Controls, ADA, False Claims Act, etc.)

• Increasing regulatory demands and expectations

• New federal and state laws

• Growing complexity of requirements

• More aggressive enforcement initiatives

• Increasing regulatory burden leading to increase in

university costs

Regulation of Higher Education

CONFIDENTIAL14

Board Expectations

University boards expect:

� University compliance with applicable laws and regulations

� Senior management commitment to promote an ethical

organizational culture

� Clear and consistent updates on program effectiveness and key

milestones

� A consistent approach to risk management that safeguards the

university against key legal and regulatory risks

� An effective governance structure that ensures proper

reporting and elevation of key issues, which supports oversight

and leadership accountability

� Quick and objective resolution of all matters requiring internal

investigation

� Effective management of relationships with external regulators

5/22/2014

8

CONFIDENTIAL15

Expectation for Institutional Control

1st Line of Defense

Business & function

leaders; Legal

• Risk ownership &

management

• Initial identification,

assessment, and

control of risk

2nd Line of Defense 3rd Line of Defense

Ex

tern

al A

ud

itors

Re

gu

lato

rs

Organizational Leadership

Board of Directors

Compliance

• Assess, monitor &

report specific areas

(e.g., core business

regulations, ethics)

• Regular testing

Internal Audit

• Financial reporting,

operational

effectiveness, etc.

• Periodic testing

Source: Institute of Internal Auditors Position Paper, January 2013

Co

nce

rn R

ep

ortin

g

CONFIDENTIAL16

6. Leadership

Engagement

Planning

Regulatory

inventory

Risk

Assessment

1. Risk Assessment & Abatement

Testing Monitoring

4. Evaluation

Policies Training

2. Communication

Governance

Reporting

Testing,

Monitoring &

Audit Results

Investigations &

Regulatory

Contacts

5. Issue Response & Reporting

Legal & regulatory

requirements

Compliance model

3. Operational controls

5/22/2014

9

17

Overview





5. Issue Response

CONFIDENTIAL18

Program Development and Assessment

Assessment Methodology

Core ProcessesOverview

Board Oversight and Plan • Set baseline for core processes

Strategic Plan • Establishes 5-year program objectives

Annual Plan• Establishes 1-year program objectives

• Scorecard tracks implementation

5/22/2014

10

CONFIDENTIAL19

Leadership Engagement

Training

Regulatory Inventory

Testing & Monitoring Issue Response Remediation

Risk Assessment & Planning Policies

• Governance

• Integrity

• Leadership expectations

• A governance process ensuring

ongoing ownership and reporting,

which links units, the university,

and the Board

• University leaders take

responsibility for ensuring integrity

in colleges and units

• University leaders understand their

legal and policy obligations, and

take responsibility for owning their

compliance risks

Program Development: Desired End-State

Elements

Optimized

State

Elements

Optimized

State

• Identification of subject matter

experts for all material

requirements

• Identification of all material legal

and regulatory requirements

• Formalized process for identifying

new requirements due to

regulatory or operational changes

• Standardized risk assessment of

material university requirements

• Developed compliance plans to

ensure ownership and proactive

mitigation planning for all top risks

• Risk assessment and compliance

plans updated annually to reflect

change and the effectiveness of

prior planning efforts

• Subject matter experts

• Material requirements

• Early warning of change

• Risk assessment

• Compliance planning

• Updating

• Capture legal requirements

• Communication

• Approval and inventory

• Delivery and governance

• Tracking

• Standards

• Plan

• Appropriate response

• Reporting

• Corrective actions

• Reporting

• Policies exist around all key

requirements, and policies

accurately reflect requirements

• Policy requirements clearly and

effectively communicated to all

relevant personnel

• Streamlined structure to review,

approve, and update policies

• Inventory of all policies

• Training delivery system and

governance process to ensure

training content reflects

requirements, training is delivered

to appropriate personnel, training is

effective, and training load is

streamlined

• Process for tracking assignment and

completion of all training

• Testing and monitoring standards

to measure effectiveness of

controls in meeting requirements

• Plan for comprehensive, risk-based

testing and monitoring to ensure

prioritized testing of controls

around requirements

• Processes to ensure appropriate

response to compliance issues

(internal and external) to enable

accurate, timely, and fair

resolutions

• Channels to ensure reporting for

the Board and senior leaders on

compliance issues to support

accountability and necessary

corrective actions

• Standardized corrective action

reports

• Tracking and reporting on

implementation and effectiveness

of corrective actions

CONFIDENTIAL20

Initial

Repeatable

Defined

Managed

Optimized

Program Development: Current Status

• Established

university risk and

compliance

committee

• Confirmed owners

for top compliance

risks

• Identified key legal

and regulatory

requirements

• Conducted

Compliance Risk

Assessment

• Created Strategic

Plan, Annual

Compliance Plan,

and key unit plans

Current

Next

Steps

= Original Assessment = Current Status

• Improved policies

and procedures on

critical risks (e.g.,

HIPAA)

• Developed “one

university”

approach to

required training

• Improved testing

on critical risks

(e.g., animal

research)

• Initiated corrective

action reports and

tracking

• Developed public

records and internal

audit tracking

processes

• Assessed

investigation

processes; conducting

investigations

• Improve unit-level

compliance

governance

• Survey integrity

culture

• Ensure “early

warning” of new

requirements

• Update compliance

plans based on

changes to risk

profile

• Hire Policy and

Training Director

• Transition policy

approval process to

Compliance

• Develop policy

inventory; simplify

policy structure

• Hire Policy and

Training Director

• Obtain learning

management

system

• Develop training

governance

• Hire Testing and

Monitoring Director

• Develop testing and

monitoring

standards

• Link remediation

tracking and

reporting to

compliance

committees

• Implement

comprehensive

investigations

tracking and

reporting system

• Design process for

regulatory contacts

Leadership Engagement

Regulatory Inventory

Risk Assessment & Planning

Policies TrainingTesting &

MonitoringIssue

ResponseRemediation

*Methodology in appendix on pages 15-16

5/22/2014

11

CONFIDENTIAL21

Risk Assessment & Abatement:

Overview

Objectives

� Demonstrate capability to proactively identify, assess, and mitigate risk

� Support existing strategic and budget planning processes

� Foundation for compliance program that best meets regulatory objectives

Challenges

� Changing higher education environment (e.g., student debt crisis, distance

learning)

� Distributed ownership, unclear governance

� Inconsistent planning and goal accountability (execution risk)

� Complexity

Key principles

� Simplicity and transparency

� Inclusion

� Utility

CONFIDENTIAL22

Regulatory Inventory: Basis for Assessment

Category

Law, Regulation, or

Third-party

Accreditation

(name)

Regulator(s)

Impact

Score

(J)

Likelihood

Score

(K)

Inherent Risk

Rating

(Risk w/o

mitigation)

(J x K = L)

Control

Assessment

Score

(M)

Control

Trend*

Residual Risk

Rating

(Risk after

mitigation)

(M x L)

Reporter Comments

Ethics LawsState purchasing

lawscourts 0 0

Disclosure

Laws

Jeanne Clery

Disclosure of Campus

Security Policy and

Campus Crime

Statistics Act/ Higher

Education

Opportunity Act

("Clery Act")

U.S.

Department of

Education

Anti-

Discriminatio

n Laws

Americans with

Disabilities Act of

1990 as amended by

the ADA

Amendments Act of

2008

Department of

Education

Office for Civil

Rights

0 0

Anti-

Discriminatio

n Laws

Ohio's Fair

Employment

Practices Law

Ohio Civil

Rights

Commission/

U.S. Equal

Employment

Opportunity

Commission

0

Labor and

Employment

Ohio Whistleblower

Statute

Court of

Common Pleas

5/22/2014

12

CONFIDENTIAL23

Inherent Risk Assessment[Severity of risk without mitigation]

2

3

Key Points:� Assess Impact based on highest

rated category

� Assess likelihood without existing

controls or plan

� Inherent risk score = Impact x

Likelihood

CONFIDENTIAL24

Control Assessment[Effectiveness of efforts to mitigate identified risks]

2

4

Key Points:� For opportunity (future) risks, assess

planning (not controls)

� Capture evaluation of controls,

including trending, in Comments

5/22/2014

13

CONFIDENTIAL25

Output: Compliance Risks

1

62

7

3

8

4

9

5

10

111213

14

16

17

18

19

20

15

Strong Weak

Low

High

CONFIDENTIAL26

Risk Assessment and Planning: Summary

• Identified key risks across all risk

categories

• Identified key regulatory requirements

across all risk categories (Compliance)

• Determined inherent and residual

ratings for each requirement and each

risk category

• Ranked risks according to residual

rating

Consistent Assessment Process Risk Mitigation and Planning

Inherent Risk (severity of risk without mitigation)� Impact: degree of financial, reputational, and/or

regulatory harm caused

� Likelihood: probability of occurrence

� Impact Score x Likelihood Score = Inherent Risk

� Note: compliance risks based on regulatory requirements

Residual Risk� Control Assessment: measured current mitigation

� Inherent Risk x Control Assessment = Residual Risk

� Identified cross-University risks

� Conducted unit-specific assessments in key

units (Medical Center, Office of Research,

Environmental Health & Safety, Athletics)

5/22/2014

14

CONFIDENTIAL27

Annual Plan Components

27

Framework Risk

Mitigation

Issue

Response

Governance• Board reporting (Audit &

Compliance Committee)

• University/Department

Compliance Committees

Expertise & resources• Departments: Athletics,

Medical, Research, HR

Enrollment, Accreditation

• Risk Areas: EHS, ADA, Info

Security, Privacy/HIPPA, Title

IX/Clery Act

Ethics and Integrity Culture• Code of Values

• Culture Survey and actions

Key Compliance processes• Compliance Risk Assessment

• Annual Compliance Plan

• Compliance policies

• Training

• Testing & Monitoring

• Reporting

Key University processes• University policy approval

• Conflicts of Interest

Investigations• Standards, corrective actions

tracking and closure, reporting

• Anonymous reports (Ethics

Point)

• Compliance elevations, testing,

& audit issues

Public Records Requests• Tracking and closure, early

warning identification,

reporting

Regulatory contacts and

enforcement• Tracking and closure, early

warning identification,

reporting

Internal Audit• Tracking audit findings

CONFIDENTIAL28

Compliance Planning: Results

Planning: Key Components

1. FY2014 Regulatory Inventory and Compliance Risk

Assessment

2. External Environment

• Specific regulatory expectations

• Key regulatory findings or sanctions

3. Internal Environment

• Internal audit findings

• Regulatory examinations and feedback

• Current strategic initiatives and operational challenges

4. Strategic Plan: 5-year goals in strategic focus areas

• Integrity Culture

• Risk Mitigation

• Issue Response

FY2015 Annual Plan Components

• Integrity culture

• Mitigation of Compliance Risks

• University-wide risks (e.g., Title IX, ADA)

• Unit-level risks (e.g., research compliance, athletics. Note: individual

units

• Improvements to Compliance processes: policy review; training;

testing & monitoring; conflicts of interest

• Issue response: create processes for public records, investigations,

regulatory contacts, and audit findings

5/22/2014

15

CONFIDENTIAL29

Compliance Plan: Individual Risk Planning Template

CONFIDENTIAL30

Compliance Plan: Reporting Template

5/22/2014

16

CONFIDENTIAL31

Interviews or discussions were held with the following individuals and groups:

Individuals

• VP for Finance and Administration

• VP Research and Dean of the Graduate College

• Interim VP Research

• VP for University Relations and Campus Life

• Chief Diversity Officer

• AVP for Sponsored Programs Administration

• Chief Information Officer

• Chief Internal Auditor

• Controller

• Director of AAEO

• Information Security Officer

• Deans Council

• Associate Deans Council

• Academic Business Managers

Workplan Interviews

Tracking of Substance Areas

CONFIDENTIAL32

Compliance Category Description Risk Rating

Impact/Likelihood

H-High/M-Medium

Discrimination Discrimination (AA/EEOC, ADA, Age, VT Fair

Employment practices)

M, M

Discrimination Sexual Harassment, Title IX (increased oversight) M,M

Employment HR Compliance Issues (I-9, Temp Employees,

Background Checks, FMLA, Health Care Reform,

Workers Compensation)

M, H

Employment Employment Compliance (FLSA) M,H

Employment/Student Issues Immigration, Foreign Nationals (Employees and

Students)

M,M

Finance and Business IRS Compliance M, M

Finance and Business Tax Exempt Bond Compliance H,M

Finance and Business Endowment/Gifts Compliance L,L

Privacy Privacy and Records Retention HIPAA, VT

ACT162,GLB, CIPSEA

H,H

Health and Safety Laboratory Safety M,H

Health and Safety OSHA Compliance M,H

Health and Safety VAWA, Clery Act M,H

Research Accounting for sponsored awards (OMB A-81,

subrecipient monitoring)

H,H

Research Conflict of Interest (NIH amendments and increased

oversight)

H,M

Research Research: Scientific Misconduct H,H

Research Human Subjects (IRB operations) H,M

Research Export Controls H,H

Research Intellectual Property M,M

Student Issues Federal Student Aid – (Title IV Eligibility) H,M

Student Issues NCAA M,M

Template for Compliance Assessment

5/22/2014

17

CONFIDENTIAL33

* Shaded areas indicate planned FY2014 work plan activity; specific topics are bolded. A slash indicates work plan activity

was completed in a prior year.

**Ongoing efforts from prior year work plan will be continued.

Compliance Risk Assessment*

CONFIDENTIAL34

Template

Log for Outstanding Recommendations

5/22/2014

18

35

Overview





5. Issue Response

CONFIDENTIAL36

1. Please indicate your awareness, before today, of the University’s Office of

Compliance Services.

2013 Compliance Awareness Survey

5/22/2014

19

CONFIDENTIAL37

1. Please indicate your awareness, before today, of the University’s Office of

Compliance Services. (Continued)

CONFIDENTIAL38

2. Please indicate your awareness, before today, of the University’s Code of

Business Conduct.

5/22/2014

20

CONFIDENTIAL39

2. Please indicate your awareness, before today, of the University’s Code of

Business Conduct. (Continued)

CONFIDENTIAL40

3. Do you know how to confidentially report violations of the Code of Business

Conduct, law, regulation or University policy? ¹

¹The Compliance Office utilizes the most effective tools for creating hotline awareness as reflected in the 2013 Corporate Governance and Compliance Hotline

Benchmarking Report published by The Network, Inc. and including survey results from over 1,100 organizations. These methods include posters, internet/intranet and

brochures.

5/22/2014

21

CONFIDENTIAL41

3. Do you know how to confidentially report violations of the Code of Business

Conduct, law, regulation or University policy? (Continued)

CONFIDENTIAL42

4. Are you confident that you would be protected from retaliation if you

reported a violation?

5/22/2014

22

CONFIDENTIAL43

4. Are you confident that you would be protected from retaliation if you

reported a violation? (Continued)

CONFIDENTIAL44

5. Please indicate your level of agreement with the following statement: The

University of Vermont fosters a “Culture of Compliance”.

5/22/2014

23

CONFIDENTIAL45

5. Please indicate your level of agreement with the following statement: The

University of Vermont fosters a “Culture of Compliance”. (Continued)

CONFIDENTIAL46

6. Have you experienced or observed misconduct (i.e. a violation of the Code of

Business Conduct, law, regulation or University policy) within the last 12

months?

5/22/2014

24

CONFIDENTIAL47

6. Have you experienced or observed misconduct (i.e. a violation of the Code of

Business Conduct, law, regulation or University policy) within the last 12

months? (Continued)

CONFIDENTIAL48

Summary trend charts on awareness and cultural questions

5/22/2014

25

CONFIDENTIAL49

Summary trend charts on awareness and cultural questions

50

Overview





5. Issue Response

5/22/2014

26

CONFIDENTIAL51

Ethics and Compliance

Reporting and Help Line

CONFIDENTIAL52



5/22/2014

27

CONFIDENTIAL53



CONFIDENTIAL54



5/22/2014

28

CONFIDENTIAL55



CONFIDENTIAL56



5/22/2014

29

CONFIDENTIAL57

Government Reviews

CONFIDENTIAL58

Government Reviews

5/22/2014

30

CONFIDENTIAL59

Consultations by Issue Type and Calendar-Year Quarter

Consults

CONFIDENTIAL60

Template

5/22/2014

31

CONFIDENTIAL61

Privacy Incident Log

Breaches

CONFIDENTIAL62

Communications Related Solely to Compliance Services, Code of Conduct and Help Line

Outreach

5/22/2014

32

CONFIDENTIAL63

Materiality Ratings

Rating TotalDays

Open

5 65 27.7

4 30 15.4

Total 95 23.8

Rating Public Interest Frequency University Interest Litigation Risk

5Major reputational topic;

major public interest

Numerous requesters

making multiple requests

Highly sensitive or involves very

significant/complex legal issues

Significant legal action

imminent

4High risk of miscommunication;

general public interest

Multiple requesters/

same issue(s)

Sensitive, or involves complex

legal issuesLegal action threatened

3Potential for significant publicity;

low risk of miscommunication

Second requester/

same issue(s)

Potentially sensitive, or involves

routine legal issuesPotential for litigation

2Potential for publicity;

no known interest to public

One-time request

including multiple issues

Not sensitive; no legal issues

identified

Request sent via certified

mail or hand delivered

1No potential for publicity;

no known interest to public One-time, unique request

Routine request for clearly public

records

No possibility of legal

action

Data includes requests processed by Public Records Office for calendar year 2013

0

5

10

15

20

25

Aca

de

mic

Aff

air

s

Air

po

rt

Ath

leti

cs

Bo

ard

of

Tru

ste

es

Bu

sin

ess

& F

ina

nce

Co

mm

un

ica

tio

ns

FOD

Fou

nd

ati

on

Go

vern

me

nt

Aff

air

s

Inte

rna

l Au

dit

Inve

stm

en

ts

Leg

al A

ffa

irs

Me

dic

al C

en

ter

PA

RE

Pre

sid

en

t's

Off

ice

Pu

blic

Re

cord

s

Re

sea

rch

Public Records Requests Rated 4 or 5 by Unit

Rating Action Steps Summary

5Key stakeholders advised;

production overseen by OLA

4Appropriate Senior Leaders advised;

production overseen by OLA

3PRO & unit collaborate

on production

2 PRO oversees local production

1 Local production

Action Steps Summary

Public Records

CONFIDENTIAL64Data includes internal audit reports from 5/2013-12/2013

Findings Rated 5 or After 1st Follow Up

Findings Number

Rated 5 1

2nd follow up 13

3rd follow up 1

Top Findings Number

[Issue 1] 93

[Issue 2] 66

[Issue 3] 64

[Issue 4] 58

[Issue 5] 43

Rating Description

5Routinely does not comply or significant noncompliance with policies

and control activities. Immediate improvement is necessary.

4Partially complies with policies and control activities.

Substantial opportunities for improvement exist.

3Partially complies with policies and control activities.

Opportunities for improvement exist.

2Generally complies with polices and control activities.

Minor opportunities for improvement exist.

1 Generally complies with policies and control activities.

Materiality Ratings

Type of Finding Number

[Issue 1] 11

[Issue 2] 1

[Issue 3] 1

[Issue 4] 1

[Issue 5] 1

Unit Number

[College 1] 5

[College 2] 4

[College 3] 3

[College 4] 2

[College 5] 1Findings of All Ratings and Follow Ups

Internal Audit

5/22/2014

33

CONFIDENTIAL65

Data includes University-wide investigations since 1/1/13; includes investigations conducted by Compliance, OHR, Med Ctr HR,

Med Ctr Compliance, Research Compliance, Title IX, Internal Audit, Faculty Misconduct, OCIO, OLA, ADA, OSUPD

Rating Public Interest Subject Position Regulatory

5Major reputational topic; of immediate

interest to the general publicConcerns unit or senior leader Regulatory debarment or shutdown

4Potential for significant publicity;

of interest to the general public

Concerns management

of some seniority

Regulatory probation/ongoing

supervision

3Potential for publicity; could be of

interest to the general publicConcerns staff or faculty Regulatory warning letter or equivalent

2Small potential for publicity; no known

interest to the general publicConcerns staff or faculty

Advisory letter or other indication

of ongoing interest

1No potential for publicity; no known

interest to the general public Concerns staff or faculty No regulatory enforcement interest

Materiality Ratings

Rating Action Steps Summary

5Key stakeholders advised;

Investigation coordinated by OUCI

4Appropriate Senior Leaders advised;

investigation overseen by OUCI

3Management advised; OUCI and Unit

collaborate on investigation

2 Unit oversees investigation

1 Local investigation

Action Steps Summary

Investigations

Unit Number

[College 1] 10

[College 2] 7

[College 3] 4

[College 4] 2

[College 5] 2

[College 6] 2

[College 7] 1

[College 8] 1

[College 9] 1

[College 10] 1

[College 11] 1

[College 12] 0

RatingClosed

InvestigationsFindings Open

5 0 0 0

4 2 1 1

3 7 2 2

2 4 1 2

1 10 4 4

Total 23 8 9

Type of Issue Number

[Issue 1] 7

[Issue 2] 6

[Issue 3] 5

[Issue 4] 4

[Issue 5] 4

CONFIDENTIAL66

Investigations: Tracking

5/22/2014

34

CONFIDENTIAL67

Board

Senior

Leadership

College 1 College 2Unit

(e.g. HR)

Line 1. Operational Owner

Line 2: Compliance

Line 3: Internal Audit

Governance Model

Reporting at Multiple Levels

1. Key updates and issues

2. Status of Compliance Plan

3. Issue Response findings

Regular Reporting

CONFIDENTIAL68

Unit-level Report: Issue Responses*Investigations Internal Audit Public Records Requests

Number of Investigations by Rating

� Summary:

� 51 closed investigations

� 13 with findings

� 18 remain open

� Summary:

� 46 public records requests

� 17 days open on average

� 3 remain open

Type of Issue Number

Human Resources 25

Business 21

Number of PR Requests by Rating

Top Issue Types Number

Discrimination/Harassment/Workplace Violence 6

Whistleblower/Retaliation 5

Patient Rights/Patient Care 4

Sexual Harassment/Prohibited Relationship 5

Drug/Alcohol Usage 4

Inappropriate Use of University Resources 5

Conflict of Interest 3

Area Audited Findings

College of Medicine (4/13) 7

Univ Hospital & Ross Pharmacy (10/13) 6

Univ Hospital & Ross Operating Rooms

(8/13)19

James Nursing (9/13) 16

Univ Hospital Rehab (8/13) 16

Hospital Medical Surgical Nursing (9/13) 13

Univ Hospital Critical Care (8/13) 12

Harding Hospital (8/13) 10

Med Ctr Fin Svcs & Rev Cycle Svcs (10/13) 9

Gahanna Family Practice Clinic (5/13) 6

Med Ctr Procure to Pay Process (5/13) 5

Cardiology Outreach (6/13) 4

Univ Hospital East ER (9/13) 2

*Data as of 12/23/13

� Audit of conflicts of interest process

� As of 12/23, CoM cleared 18 of 21 items;

“no progress” noted regarding finding on

administration

Attorney-Client Privileged

� The 3 PRRs that remain open are rated 1

� The PRRs rated 4 include a copy of the

Conflict of Interest Policy, physician

compensation information, certain

business arrangements information, and

information security incident reports

� Corrective Actions:

� Next steps:

5/22/2014

35

CONFIDENTIAL69

Compliance Program Effectiveness:Measuring (and Communicating) Benchmarking,

Data, and Effectiveness

Gates Garrity-Rokous, OSU: [email protected]

Anna Drummond, UVM: [email protected]

Higher Education Conference

April 16, 2014

Contact Information

compliance program effectiveness...“tone at the top” –and all the way through the university...

Documents