Higher Education Compliance Conference - SCCE Official Site · 2015-05-18 · SCCE Higher Education Compliance Conference 1 1 THE OHIO STATE UNIVERSITY OFFICE OF UNIVERSITY COMPLIANCE

SCCE Higher Education Compliance Conference

1

1

TH E OH IO S TAT E UN I V ERS I T Y

OF F I C E OF UN I V ERS I T Y COMP L I ANCE AND I N T EGR I T Y

GAT ES GARR I T Y ‐ROKOUS

Building an Institution‐Focused Testing and Monitoring Program

Higher Education Compliance ConferenceMay 31, 2015

2

Overview

• Objectives and Core Concepts

• Key Controls

• Testing and Monitoring Plans

• Reporting

CONFIDENTIAL3

Session Objectives

• Define Testing and Monitoring: the key to establishing compliance effectiveness

• Describe tools to integrate testing and monitoring into an existing compliance program

• Identify how best to leverage and engage disparate and embedded compliance partners

• Develop and execute a risk‐based testing plan

• Reporting: the key to driving compliance accountability


2

CONFIDENTIAL4

Core Concepts

• Compliance partner: Individual with operational responsibility for controls needed to meet a regulatory or compliance objective.

• Testing: The confirmation of efficacy of controls. Can occur either through operational (owner) or compliance (independent) activity.

• Monitoring: Evaluation of a control through measurement of regularly reported data against a defined threshold (e.g., air quality, ppm), the exceedance of which causes action.

• Audit: Assessment of control effectiveness (“assurance”) through independent determination of regulatory, policy, or financial requirements.

CONFIDENTIAL5

Institutional Control: Three Lines of Defense

1st Line of Defense

College & unit leaders; Legal

•Risk ownership & management

• Initial identification, assessment, and control of risk

2nd Line of Defense 3rd Line of Defense

External A

udito

rs

Regulato

rs

Organizational Leadership

Board of Directors

Compliance

•Assess, monitor & report specific areas (e.g., core business regulations, ethics)

•Regular testing

Internal Audit

• Financial reporting, operational effectiveness, etc.

•Periodic testing

Source: Institute of Internal Auditors Position Paper, January 2013

Concern Reportin

g

CONFIDENTIAL6

Control DefinitionsPreventative ControlsDesigned to keep errors or irregularities from occurring

• Policies, procedures, SOPs, training (soft controls)• Key processes, e.g., segregation of duties• Systems that force specific decisions or actions (hard controls)

Detective ControlsDesigned to detect errors or irregularities that may have occurred

• Monitoring: regular review of data to detect deviations (e.g., transactions above or below a certain threshold)

• Testing: detailed review of specific transactions or controls (e.g., review of systems logs to identify fraudulent use)

Corrective ControlsDesigned to correct errors or irregularities that have been detected

• Restore system or process back to prior state • E.g., full restoration of system from backup tapes after learning of improper

alteration of customer data• Corrective actions and tracking


3

CONFIDENTIAL7

Limitations of ControlsControls only provide reasonable assurance that compliance will be achieved.

Limitations include:

Control failure: even well designed controls break down• Employees misunderstand training or make mistakes• Technology creates errors or is overly complex

Management decisions override controls:• Superiors override policies for personal gain • Management overrides policy for legitimate purposes, but results in

unintentional control failures

Collusion: • Control system circumvented by employees• E.g., individuals collectively alter financial data or other information in a

way that cannot be identified by control systems

Judgment: the effectiveness of controls will be limited by decisions • Humans are subject to pressure• Humans react to information available

Compliance programs should be designed to identify these limitations

CONFIDENTIAL8

6. LeadershipEngagement

Planning

Regulatory inventory

Risk Assessment

1. Risk Assessment & Abatement

Testing Monitoring

4. Evaluation

Policies Training

2. Communication

Corrective Actions

Testing, Monitoring & Audit Results

Investigations & Regulatory Contacts

5. Issue Response & Reporting

Legal & regulatory requirements

Compliance Program Elements

3. Operational controls

CONFIDENTIAL9



Detective ControlsDesigned to reveal errors or irregularities that may have occurred

• A clearly defined threshold in regularly produced data (e.g., a dollar amount for purchases; staff % completion of a certification)

• A critical decision or evidence on which the compliance of an entire process depends (e.g., manager approval signature in procurement)

• Evidence of completion of a required process (e.g., IRB approval in research)



alteration of customer data, policy revision


4

CONFIDENTIAL10



Detective ControlsDesigned to reveal errors or irregularities that may have occurred

• A clearly defined threshold in regularly produced data (e.g., a dollar amount for purchases; staff % completion of a certification)

• A critical decision or evidence on which the compliance of an entire process depends (e.g., manager approval signature in procurement)

• Evidence of completion of a required process (e.g., IRB approval in research)



alteration of customer data; policy revision

Risk Assessment

Key Controls

Monitoring

Testing

Testing

Corrective Action Tracking

CONFIDENTIAL11

6. LeadershipEngagement

Planning

Regulatory inventory

Risk Assessment

1. Risk Assessment & Abatement

Testing Monitoring

4. Evaluation

Policies Training

2. Communication

Corrective Actions

Testing, Monitoring & Audit Results

Investigations & Regulatory Contacts

5. Issue Response & Reporting

Legal & regulatory requirements

Compliance Program Elements

3. Operational controls

CONFIDENTIAL12

Risk Assessment: Inherent Risk[Severity of risk without mitigation]

Key Points: Assess Impact based on highest

rated category Assess likelihood without existing

controls or plan Inherent risk score = Impact x

Likelihood


5

CONFIDENTIAL13

Risk Assessment: Controls[Effectiveness of efforts to mitigate identified risks]

Key Points: Risk Assessment methodology aligns to standards used by both

Compliance Testing and Internal Audit Control effectiveness based on highest rated category

CONFIDENTIAL14

Risk Assessment: Overview

• Identify risk categories and colleges/units• Identify key regulatory requirements across all risk categories, by college/unit

• Assess inherent risk and controls to determine residual risk ratings for each requirement and eachrisk category

• Rank risks according to residual riskrating

Risk Assessment: Identify Top Risks

Testing and MonitoringDemonstrate Effectiveness of Controls

Inherent Risk (severity of risk without mitigation) Impact: degree of financial, reputational, and/or

regulatory harm caused Likelihood: probability of occurrence Impact Score x Likelihood Score = Inherent Risk

Residual Risk Control Assessment: measured current mitigation Inherent Risk x Control Assessment = Residual Risk

Testing of top risk categories and units (e.g., clinical trials, procurement)

Testing of top risks’ key controls (e.g., HIPAA business associate agreements)

Monitoring of compliance processes (e.g., Conflict of Interest reporting)

Testing and monitoring should be planned through a risk based plan

15

Overview


• Key Controls


• Reporting


6

CONFIDENTIAL16

Measuring What’s Important: Key Controls

The Alcoa example (Charles Duhigg): • Identify the key organizational “habit” on which success (e.g., culture, productivity, sales, profits) most depends

• CEO Paul O’Neill’s answer for Alcoa in 1987: Worker Safety• http://www.huffingtonpost.com/charles‐duhigg/the‐power‐of‐habit_b_1304550.html

The compliance perspective: • Identify the key controls on which compliance most depends • Enable compliance partners to assess/report status of controls• Efficiently test effectiveness of key controls with limited resources

CONFIDENTIAL17

Following UNC academic scandal, university conducted “stress test” on potential issues at intersection of athletics and academics

Working group included representatives from: Undergraduate Education, SASSO, Athletic Compliance, Registrar, University Compliance and Integrity, Legal Affairs, the Faculty Athletics Representatives, and the Academic Progress and Eligibility Committee of the Athletics Council

Goals were to:o Review risks associated with potential athletic academic issueso Evaluate effectiveness of existing controls at mitigating those riskso Identify key control for each risk, and reportingo Develop governance structure designed to ensure effective

implementation of ongoing reporting

Identification of Key ControlsExample: academic issues following UNC scandal

CONFIDENTIAL18

Areas of Focuso Student‐athlete academic eligibility (continuing, initial, transfer)o Student‐athlete clustering (class, major, etc..)o Governance and independence of SASSOo Missed class time due to athletic commitmentso Tutoring policieso Admissionso Academic Misconduct

Process:o Identify potential issues and determine whether clearly defined controls

exist and are reviewed regularlyo Identify a key control: threshold or measurement by which ongoing

compliance is measuredo Identify parties responsible for oversight; develop reporting mechanismso Assess current data against threshold to develop a baselineo Develop a structure for future reporting

Key Controls Example: Academic Issues (cont.)


7

CONFIDENTIAL19

PotentialIssueThresholdorMeasurement

CompliancePartner

ControlTesting

Governance ReportType Comments

Transferstudents ‐ DotransferstudentsmeetNCAAprogresstowarddegreerequirements?

100%reviewof(1)Numberofstudent‐athletestransferringtoOSUineligible;(2)Numberofstudent‐athletesbecomingineligibleaftertransfer;goalofzero

StudentAthleteAcademicSupportServices(SASSO)

AthleticsCompliance

AP&E

TransferStudentReport

(Compliance)

TransferStudentReportwillcontainthefollowinginformation:(1)Majoratpreviousinstitution(2)GPA/DegreeHoursCompletedatpreviousinstitution,(3)MajoratOSU,(4)DegreehoursatOSU

Compliance Partner Testing Reporting

“Regulation” Key Control

A set of binding rules issued by a private or public body with the necessary authority to supervise compliance with them and apply sanctions in response to violation.

The critical decision point or metric in a process that demonstrates effectiveness of the process.

Unit/area responsible for decision‐making on risks/issues for respective unit/area.

Unit/partner which tests, tracks and monitors controls.

Strategic decision‐making and top‐level oversight.

Report specifically created to track and monitor key controls.

Oversight

Key Controls Example: Academic Issues (cont.)

CONFIDENTIAL20

Identification of Key Controls: Process MappingExample: controls in procurement process needed to meet Ohio

Ethics Law requirements

21

Overview


• Key Controls


• Reporting


8

CONFIDENTIAL22

Control Assessment[Effectiveness of efforts to mitigate identified risks]

Key Points: Assess Impact based on highest

rated category Assess likelihood without existing

controls or plan Inherent risk score = Impact x

Likelihood

CONFIDENTIAL23

Sample Risk Assessment

CONFIDENTIAL24

Sample Compliance Testing Plan


9

CONFIDENTIAL25

Sample Compliance Testing Methodology

CONFIDENTIAL26

Compliance Review format:

Simple, clear format that ties back to risk assessment criteria

Provides high‐level summary

Gives both inherent and control assessment

Gives trending (change over time)

27

Overview


• Key Controls


• Reporting


10

CONFIDENTIAL28

Data includes University‐wide investigations rated 4 or 5 for FY2015 YTD (7/1/14 – 3/11/15); includes investigations conducted by Compliance,

OHR, Med Ctr HR, Med Ctr Compliance, Research Compliance, Title IX, Internal Audit, Faculty Misconduct, OCIO, OLA, ADA, OSUPD

RatingClosed

InvestigationsFindings Open

5 2 1 3

4 14 3 0

Total 16 4 3

Rating Public Interest Subject Position Regulatory

5Major reputational topic; of immediate

interest to the general publicConcerns unit or senior leader Regulatory debarment or shutdown

4Potential for significant publicity; of interest to the general public

Concerns management of some seniority

Regulatory probation/ongoing supervision

3Potential for publicity; could be of

interest to the general publicConcerns staff or faculty Regulatory warning letter or equivalent

2Small potential for publicity; no known

interest to the general publicConcerns staff or faculty

Advisory letter or other indication of ongoing interest

1No potential for publicity; no known

interest to the general public Concerns staff or faculty No regulatory enforcement interest

Materiality Ratings

Rating Action Steps Summary

5Key stakeholders advised;

Investigation coordinated by OUCI

4Appropriate Senior Leaders advised; investigation overseen by OUCI

3Management advised; OUCI and Unit

collaborate on investigation

2 Unit oversees investigation

1 Local investigation

Action Steps Summary

Investigations Summary

0 1 2 3 4 5 6

Harassment

Hostile Work Environment

Nepotism

Research/Grants

NCAA

Ohio Ethics Law

Title IX

Whistleblower/Retaliation

Investigations Rated 4 or 5 by Issue

CONFIDENTIAL29

2Data includes issues not cleared by 3/11/15

Findings Rated 5 or After 1st Follow Up2

Findings NumberRated 5 1

2nd follow up 4

Top Findings NumberPayroll and leave timekeeping 232Information technology 153Equipment 127Cash handling 124Governance 76

Rating Description

5Routinely does not comply or significant noncompliance with policies

and control activities. Immediate improvement is necessary.

4Partially complies with policies and control activities. Substantial opportunities for improvement exist.

3Partially complies with policies and control activities.

Opportunities for improvement exist.

2Generally complies with polices and control activities.

Minor opportunities for improvement exist.

1 Generally complies with policies and control activities.

Materiality Ratings

Type of Finding NumberEquipment 1Fund management 1Purchase card 1Payroll and leave timekeeping 1University required training 1

Unit NumberOffice of Administration and Planning 3College of Arts and Sciences 1College of Food, Agri, and Envir Sci 1

Findings of All Ratings and Follow‐Ups1

1Data includes internal audit reports from 5/2013‐3/2015

Audit Summary

CONFIDENTIAL30

Sample Risk Assessment


11

CONFIDENTIAL31

Example: OIG Work Plan

2015 Issue Goal of Review: Applicable Rules/RegulationsSleep Disorder Clinics ‐ High Utilization of Sleep‐Testing Procedures(CPT codes 95810 and 95811 )

Examine Medicare payments to physicians, hospital outpatient departments, and independent diagnostic testing facilities for sleep‐testing procedures to assess the appropriateness of Medicare payments for high utilization sleep‐testing procedures and determine whether they were in accordance with Medicare requirements.

An OIG analysis of CY 2010 Medicare payments for Current

Procedural Terminology (CPT) codes 95810 and 95811,which totaled approximately $415 million, showed high utilization associated with these sleep‐testing procedures. Medicare will not pay for items or services that are not “reasonable and necessary.” (Social Security Act, §1862(a)(1)(A).) Diagnostic testing that is duplicative of previous testing done by the attending physician to the extent the results are still pertinent is not covered because it is not reasonable and necessary under 1862(a)(1)(A) of the Act. Requirements for coverage of sleep tests under Part B are in CMS’s Medicare Benefit Policy Manual, Pub. No. 100‐02, ch. 15, § 70.

CONFIDENTIAL32

OSUWMC’s Sleep Lab Procedure Scheduling Risk Assessment & History

Sleep studies(CPT Codes 95810 and 95811)

HHS‐OIG’s Work Plan identified Medicare payments for Current Procedural Terminology (CPT) codes 95810 and 95811,which totaled approximately $415 million; audits showed high utilization associated with these sleep‐testing procedures. Diagnostic testing duplicative of previous testing done by attending physician, where prior results are still pertinent, is not covered as not reasonable and necessary; requirements for coverage of sleep tests under Part B are in CMS’s Medicare Benefit Policy Manual, Pub. No. 100‐02, ch. 15, § 70.

Risk Level

Inherent Gross (NO Controls) Current

Comments Medium fines or penalties

The likelihood of non complianceoccurring with absolutely no controls in place

Often Weekly

Scheduling is done real time and by 2 trained sleep lab staff only. In order for a sleep study to be scheduled by sleep clinic or direct referring Physician, controls must be in fulfilled.

Controls:1. Patient acceptance Criteria as outlined by the American Academy of Sleep Medicine and reflected in our protocols as a Sleep Disorder Center accredited by the AASM. 2. Extensive questionnaire collected at time of sleep clinic consultation and included in H&P.3. Controls used by scheduling in the sleep lab, for referrals from practices that are not sleep medicine, which are also outlined in our protocols and enforced by standards of AASM.

Comments: Supporting Documentation1. AASM Standard C‐1,C‐2, and C‐3 2. OSU Sleep Lab Patient acceptance Protocol 3. example of patient screening

questionnaire used by Sleep clinic. 4. Direct Referral outline for scheduling 5.Direct referral Physicians listing.

CONFIDENTIAL33

• Reporting on regulatory area (Environmental Health and Safety regulations) across all laboratories, across all colleges

• EHS conducts annual risk based inspections of all research labs on campus (~800 Principal Investigators w/over 3,200 lab spaces)

• Review safety training, SOPs, hazard assessments, engineering controls and other safety related items

• Post visit report is generated with noted deficiencies and Principal Investigator is requested to respond via a web‐based system within 15 days with an appropriate corrective action

• Categories are risk‐ranked

• Findings reflect categories where issues have been identified and have not yet been resolved, which may continue to present a safety or compliance risk

• Current quarter information and trending information (as compared to the previous quarter)

• Also provides an opportunity for both significant positive and negative comments related to specific Labs (investigators), incidents or inspections

College/Unit Reporting Scorecard: Overview


12

CONFIDENTIAL34

Reporting scorecard: by Department

CONFIDENTIAL35

• Categories are risk‐ranked

• Findings reflect categories where issues have been identified and have not yet been resolved, which may continue to present a safety or compliance risk

• Current quarter information and trending information (as compared to the previous quarter)

• Also provides an opportunity for both significant positive and negative comments related to specific Labs (investigators), incidents or inspections

College/Unit Reporting Scorecard: Overview

36

Questions

Documents

Higher Education Compliance Conference - SCCE Official Site · 2015-05-18 · SCCE Higher Education Compliance Conference 1 1 THE OHIO STATE UNIVERSITY OFFICE OF UNIVERSITY COMPLIANCE