SCCE Higher Education Compliance Conference
1
1
TH E OH IO S TAT E UN I V ERS I T Y
OF F I C E OF UN I V ERS I T Y COMP L I ANCE AND I N T EGR I T Y
GAT ES GARR I T Y ‐ROKOUS
Building an Institution‐Focused Testing and Monitoring Program
Higher Education Compliance ConferenceMay 31, 2015
2
Overview
• Objectives and Core Concepts
• Key Controls
• Testing and Monitoring Plans
• Reporting
CONFIDENTIAL3
Session Objectives
• Define Testing and Monitoring: the key to establishing compliance effectiveness
• Describe tools to integrate testing and monitoring into an existing compliance program
• Identify how best to leverage and engage disparate and embedded compliance partners
• Develop and execute a risk‐based testing plan
• Reporting: the key to driving compliance accountability
SCCE Higher Education Compliance Conference
2
CONFIDENTIAL4
Core Concepts
• Compliance partner: Individual with operational responsibility for controls needed to meet a regulatory or compliance objective.
• Testing: The confirmation of efficacy of controls. Can occur either through operational (owner) or compliance (independent) activity.
• Monitoring: Evaluation of a control through measurement of regularly reported data against a defined threshold (e.g., air quality, ppm), the exceedance of which causes action.
• Audit: Assessment of control effectiveness (“assurance”) through independent determination of regulatory, policy, or financial requirements.
CONFIDENTIAL5
Institutional Control: Three Lines of Defense
1st Line of Defense
College & unit leaders; Legal
•Risk ownership & management
• Initial identification, assessment, and control of risk
2nd Line of Defense 3rd Line of Defense
External A
udito
rs
Regulato
rs
Organizational Leadership
Board of Directors
Compliance
•Assess, monitor & report specific areas (e.g., core business regulations, ethics)
•Regular testing
Internal Audit
• Financial reporting, operational effectiveness, etc.
•Periodic testing
Source: Institute of Internal Auditors Position Paper, January 2013
Concern Reportin
g
CONFIDENTIAL6
Control DefinitionsPreventative ControlsDesigned to keep errors or irregularities from occurring
• Policies, procedures, SOPs, training (soft controls)• Key processes, e.g., segregation of duties• Systems that force specific decisions or actions (hard controls)
Detective ControlsDesigned to detect errors or irregularities that may have occurred
• Monitoring: regular review of data to detect deviations (e.g., transactions above or below a certain threshold)
• Testing: detailed review of specific transactions or controls (e.g., review of systems logs to identify fraudulent use)
Corrective ControlsDesigned to correct errors or irregularities that have been detected
• Restore system or process back to prior state • E.g., full restoration of system from backup tapes after learning of improper
alteration of customer data• Corrective actions and tracking
SCCE Higher Education Compliance Conference
3
CONFIDENTIAL7
Limitations of ControlsControls only provide reasonable assurance that compliance will be achieved.
Limitations include:
Control failure: even well designed controls break down• Employees misunderstand training or make mistakes• Technology creates errors or is overly complex
Management decisions override controls:• Superiors override policies for personal gain • Management overrides policy for legitimate purposes, but results in
unintentional control failures
Collusion: • Control system circumvented by employees• E.g., individuals collectively alter financial data or other information in a
way that cannot be identified by control systems
Judgment: the effectiveness of controls will be limited by decisions • Humans are subject to pressure• Humans react to information available
Compliance programs should be designed to identify these limitations
CONFIDENTIAL8
6. LeadershipEngagement
Planning
Regulatory inventory
Risk Assessment
1. Risk Assessment & Abatement
Testing Monitoring
4. Evaluation
Policies Training
2. Communication
Corrective Actions
Testing, Monitoring & Audit Results
Investigations & Regulatory Contacts
5. Issue Response & Reporting
Legal & regulatory requirements
Compliance Program Elements
3. Operational controls
CONFIDENTIAL9
Control DefinitionsPreventative ControlsDesigned to keep errors or irregularities from occurring
• Policies, procedures, SOPs, training (soft controls)• Key processes, e.g., segregation of duties• Systems that force specific decisions or actions (hard controls)
Detective ControlsDesigned to reveal errors or irregularities that may have occurred
• A clearly defined threshold in regularly produced data (e.g., a dollar amount for purchases; staff % completion of a certification)
• A critical decision or evidence on which the compliance of an entire process depends (e.g., manager approval signature in procurement)
• Evidence of completion of a required process (e.g., IRB approval in research)
Corrective ControlsDesigned to correct errors or irregularities that have been detected
• Restore system or process back to prior state • E.g., full restoration of system from backup tapes after learning of improper
alteration of customer data, policy revision
SCCE Higher Education Compliance Conference
4
CONFIDENTIAL10
Control DefinitionsPreventative ControlsDesigned to keep errors or irregularities from occurring
• Policies, procedures, SOPs, training (soft controls)• Key processes, e.g., segregation of duties• Systems that force specific decisions or actions (hard controls)
Detective ControlsDesigned to reveal errors or irregularities that may have occurred
• A clearly defined threshold in regularly produced data (e.g., a dollar amount for purchases; staff % completion of a certification)
• A critical decision or evidence on which the compliance of an entire process depends (e.g., manager approval signature in procurement)
• Evidence of completion of a required process (e.g., IRB approval in research)
Corrective ControlsDesigned to correct errors or irregularities that have been detected
• Restore system or process back to prior state • E.g., full restoration of system from backup tapes after learning of improper
alteration of customer data; policy revision
Risk Assessment
Key Controls
Monitoring
Testing
Testing
Corrective Action Tracking
CONFIDENTIAL11
6. LeadershipEngagement
Planning
Regulatory inventory
Risk Assessment
1. Risk Assessment & Abatement
Testing Monitoring
4. Evaluation
Policies Training
2. Communication
Corrective Actions
Testing, Monitoring & Audit Results
Investigations & Regulatory Contacts
5. Issue Response & Reporting
Legal & regulatory requirements
Compliance Program Elements
3. Operational controls
CONFIDENTIAL12
Risk Assessment: Inherent Risk[Severity of risk without mitigation]
Key Points: Assess Impact based on highest
rated category Assess likelihood without existing
controls or plan Inherent risk score = Impact x
Likelihood
SCCE Higher Education Compliance Conference
5
CONFIDENTIAL13
Risk Assessment: Controls[Effectiveness of efforts to mitigate identified risks]
Key Points: Risk Assessment methodology aligns to standards used by both
Compliance Testing and Internal Audit Control effectiveness based on highest rated category
CONFIDENTIAL14
Risk Assessment: Overview
• Identify risk categories and colleges/units• Identify key regulatory requirements across all risk categories, by college/unit
• Assess inherent risk and controls to determine residual risk ratings for each requirement and eachrisk category
• Rank risks according to residual riskrating
Risk Assessment: Identify Top Risks
Testing and MonitoringDemonstrate Effectiveness of Controls
Inherent Risk (severity of risk without mitigation) Impact: degree of financial, reputational, and/or
regulatory harm caused Likelihood: probability of occurrence Impact Score x Likelihood Score = Inherent Risk
Residual Risk Control Assessment: measured current mitigation Inherent Risk x Control Assessment = Residual Risk
Testing of top risk categories and units (e.g., clinical trials, procurement)
Testing of top risks’ key controls (e.g., HIPAA business associate agreements)
Monitoring of compliance processes (e.g., Conflict of Interest reporting)
Testing and monitoring should be planned through a risk based plan
15
Overview
• Objectives and Core Concepts
• Key Controls
• Testing and Monitoring Plans
• Reporting
SCCE Higher Education Compliance Conference
6
CONFIDENTIAL16
Measuring What’s Important: Key Controls
The Alcoa example (Charles Duhigg): • Identify the key organizational “habit” on which success (e.g., culture, productivity, sales, profits) most depends
• CEO Paul O’Neill’s answer for Alcoa in 1987: Worker Safety• http://www.huffingtonpost.com/charles‐duhigg/the‐power‐of‐habit_b_1304550.html
The compliance perspective: • Identify the key controls on which compliance most depends • Enable compliance partners to assess/report status of controls• Efficiently test effectiveness of key controls with limited resources
CONFIDENTIAL17
Following UNC academic scandal, university conducted “stress test” on potential issues at intersection of athletics and academics
Working group included representatives from: Undergraduate Education, SASSO, Athletic Compliance, Registrar, University Compliance and Integrity, Legal Affairs, the Faculty Athletics Representatives, and the Academic Progress and Eligibility Committee of the Athletics Council
Goals were to:o Review risks associated with potential athletic academic issueso Evaluate effectiveness of existing controls at mitigating those riskso Identify key control for each risk, and reportingo Develop governance structure designed to ensure effective
implementation of ongoing reporting
Identification of Key ControlsExample: academic issues following UNC scandal
CONFIDENTIAL18
Areas of Focuso Student‐athlete academic eligibility (continuing, initial, transfer)o Student‐athlete clustering (class, major, etc..)o Governance and independence of SASSOo Missed class time due to athletic commitmentso Tutoring policieso Admissionso Academic Misconduct
Process:o Identify potential issues and determine whether clearly defined controls
exist and are reviewed regularlyo Identify a key control: threshold or measurement by which ongoing
compliance is measuredo Identify parties responsible for oversight; develop reporting mechanismso Assess current data against threshold to develop a baselineo Develop a structure for future reporting
Key Controls Example: Academic Issues (cont.)
SCCE Higher Education Compliance Conference
7
CONFIDENTIAL19
PotentialIssueThresholdorMeasurement
CompliancePartner
ControlTesting
Governance ReportType Comments
Transferstudents ‐ DotransferstudentsmeetNCAAprogresstowarddegreerequirements?
100%reviewof(1)Numberofstudent‐athletestransferringtoOSUineligible;(2)Numberofstudent‐athletesbecomingineligibleaftertransfer;goalofzero
StudentAthleteAcademicSupportServices(SASSO)
AthleticsCompliance
AP&E
TransferStudentReport
(Compliance)
TransferStudentReportwillcontainthefollowinginformation:(1)Majoratpreviousinstitution(2)GPA/DegreeHoursCompletedatpreviousinstitution,(3)MajoratOSU,(4)DegreehoursatOSU
Compliance Partner Testing Reporting
“Regulation” Key Control
A set of binding rules issued by a private or public body with the necessary authority to supervise compliance with them and apply sanctions in response to violation.
The critical decision point or metric in a process that demonstrates effectiveness of the process.
Unit/area responsible for decision‐making on risks/issues for respective unit/area.
Unit/partner which tests, tracks and monitors controls.
Strategic decision‐making and top‐level oversight.
Report specifically created to track and monitor key controls.
Oversight
Key Controls Example: Academic Issues (cont.)
CONFIDENTIAL20
Identification of Key Controls: Process MappingExample: controls in procurement process needed to meet Ohio
Ethics Law requirements
21
Overview
• Objectives and Core Concepts
• Key Controls
• Testing and Monitoring Plans
• Reporting
SCCE Higher Education Compliance Conference
8
CONFIDENTIAL22
Control Assessment[Effectiveness of efforts to mitigate identified risks]
Key Points: Assess Impact based on highest
rated category Assess likelihood without existing
controls or plan Inherent risk score = Impact x
Likelihood
CONFIDENTIAL23
Sample Risk Assessment
CONFIDENTIAL24
Sample Compliance Testing Plan
SCCE Higher Education Compliance Conference
9
CONFIDENTIAL25
Sample Compliance Testing Methodology
CONFIDENTIAL26
Compliance Review format:
Simple, clear format that ties back to risk assessment criteria
Provides high‐level summary
Gives both inherent and control assessment
Gives trending (change over time)
27
Overview
• Objectives and Core Concepts
• Key Controls
• Testing and Monitoring Plans
• Reporting
SCCE Higher Education Compliance Conference
10
CONFIDENTIAL28
Data includes University‐wide investigations rated 4 or 5 for FY2015 YTD (7/1/14 – 3/11/15); includes investigations conducted by Compliance,
OHR, Med Ctr HR, Med Ctr Compliance, Research Compliance, Title IX, Internal Audit, Faculty Misconduct, OCIO, OLA, ADA, OSUPD
RatingClosed
InvestigationsFindings Open
5 2 1 3
4 14 3 0
Total 16 4 3
Rating Public Interest Subject Position Regulatory
5Major reputational topic; of immediate
interest to the general publicConcerns unit or senior leader Regulatory debarment or shutdown
4Potential for significant publicity; of interest to the general public
Concerns management of some seniority
Regulatory probation/ongoing supervision
3Potential for publicity; could be of
interest to the general publicConcerns staff or faculty Regulatory warning letter or equivalent
2Small potential for publicity; no known
interest to the general publicConcerns staff or faculty
Advisory letter or other indication of ongoing interest
1No potential for publicity; no known
interest to the general public Concerns staff or faculty No regulatory enforcement interest
Materiality Ratings
Rating Action Steps Summary
5Key stakeholders advised;
Investigation coordinated by OUCI
4Appropriate Senior Leaders advised; investigation overseen by OUCI
3Management advised; OUCI and Unit
collaborate on investigation
2 Unit oversees investigation
1 Local investigation
Action Steps Summary
Investigations Summary
0 1 2 3 4 5 6
Harassment
Hostile Work Environment
Nepotism
Research/Grants
NCAA
Ohio Ethics Law
Title IX
Whistleblower/Retaliation
Investigations Rated 4 or 5 by Issue
CONFIDENTIAL29
2Data includes issues not cleared by 3/11/15
Findings Rated 5 or After 1st Follow Up2
Findings NumberRated 5 1
2nd follow up 4
Top Findings NumberPayroll and leave timekeeping 232Information technology 153Equipment 127Cash handling 124Governance 76
Rating Description
5Routinely does not comply or significant noncompliance with policies
and control activities. Immediate improvement is necessary.
4Partially complies with policies and control activities. Substantial opportunities for improvement exist.
3Partially complies with policies and control activities.
Opportunities for improvement exist.
2Generally complies with polices and control activities.
Minor opportunities for improvement exist.
1 Generally complies with policies and control activities.
Materiality Ratings
Type of Finding NumberEquipment 1Fund management 1Purchase card 1Payroll and leave timekeeping 1University required training 1
Unit NumberOffice of Administration and Planning 3College of Arts and Sciences 1College of Food, Agri, and Envir Sci 1
Findings of All Ratings and Follow‐Ups1
1Data includes internal audit reports from 5/2013‐3/2015
Audit Summary
CONFIDENTIAL30
Sample Risk Assessment
SCCE Higher Education Compliance Conference
11
CONFIDENTIAL31
Example: OIG Work Plan
2015 Issue Goal of Review: Applicable Rules/RegulationsSleep Disorder Clinics ‐ High Utilization of Sleep‐Testing Procedures(CPT codes 95810 and 95811 )
Examine Medicare payments to physicians, hospital outpatient departments, and independent diagnostic testing facilities for sleep‐testing procedures to assess the appropriateness of Medicare payments for high utilization sleep‐testing procedures and determine whether they were in accordance with Medicare requirements.
An OIG analysis of CY 2010 Medicare payments for Current
Procedural Terminology (CPT) codes 95810 and 95811,which totaled approximately $415 million, showed high utilization associated with these sleep‐testing procedures. Medicare will not pay for items or services that are not “reasonable and necessary.” (Social Security Act, §1862(a)(1)(A).) Diagnostic testing that is duplicative of previous testing done by the attending physician to the extent the results are still pertinent is not covered because it is not reasonable and necessary under 1862(a)(1)(A) of the Act. Requirements for coverage of sleep tests under Part B are in CMS’s Medicare Benefit Policy Manual, Pub. No. 100‐02, ch. 15, § 70.
CONFIDENTIAL32
OSUWMC’s Sleep Lab Procedure Scheduling Risk Assessment & History
Sleep studies(CPT Codes 95810 and 95811)
HHS‐OIG’s Work Plan identified Medicare payments for Current Procedural Terminology (CPT) codes 95810 and 95811,which totaled approximately $415 million; audits showed high utilization associated with these sleep‐testing procedures. Diagnostic testing duplicative of previous testing done by attending physician, where prior results are still pertinent, is not covered as not reasonable and necessary; requirements for coverage of sleep tests under Part B are in CMS’s Medicare Benefit Policy Manual, Pub. No. 100‐02, ch. 15, § 70.
Risk Level
Inherent Gross (NO Controls) Current
Comments Medium fines or penalties
The likelihood of non complianceoccurring with absolutely no controls in place
Often Weekly
Scheduling is done real time and by 2 trained sleep lab staff only. In order for a sleep study to be scheduled by sleep clinic or direct referring Physician, controls must be in fulfilled.
Controls:1. Patient acceptance Criteria as outlined by the American Academy of Sleep Medicine and reflected in our protocols as a Sleep Disorder Center accredited by the AASM. 2. Extensive questionnaire collected at time of sleep clinic consultation and included in H&P.3. Controls used by scheduling in the sleep lab, for referrals from practices that are not sleep medicine, which are also outlined in our protocols and enforced by standards of AASM.
Comments: Supporting Documentation1. AASM Standard C‐1,C‐2, and C‐3 2. OSU Sleep Lab Patient acceptance Protocol 3. example of patient screening
questionnaire used by Sleep clinic. 4. Direct Referral outline for scheduling 5.Direct referral Physicians listing.
CONFIDENTIAL33
• Reporting on regulatory area (Environmental Health and Safety regulations) across all laboratories, across all colleges
• EHS conducts annual risk based inspections of all research labs on campus (~800 Principal Investigators w/over 3,200 lab spaces)
• Review safety training, SOPs, hazard assessments, engineering controls and other safety related items
• Post visit report is generated with noted deficiencies and Principal Investigator is requested to respond via a web‐based system within 15 days with an appropriate corrective action
• Categories are risk‐ranked
• Findings reflect categories where issues have been identified and have not yet been resolved, which may continue to present a safety or compliance risk
• Current quarter information and trending information (as compared to the previous quarter)
• Also provides an opportunity for both significant positive and negative comments related to specific Labs (investigators), incidents or inspections
College/Unit Reporting Scorecard: Overview
SCCE Higher Education Compliance Conference
12
CONFIDENTIAL34
Reporting scorecard: by Department
CONFIDENTIAL35
• Categories are risk‐ranked
• Findings reflect categories where issues have been identified and have not yet been resolved, which may continue to present a safety or compliance risk
• Current quarter information and trending information (as compared to the previous quarter)
• Also provides an opportunity for both significant positive and negative comments related to specific Labs (investigators), incidents or inspections
College/Unit Reporting Scorecard: Overview
36
Questions