1

Integrating Audit, Compliance, Risk Management, and General Counsel

David GallowayExecutive Director – Office of Compliance and Audit

Brigham Young University

1

2

2

3

4

3

Freeh ReportCoordinate the Chief Compliance Officer’s responsibilities with the Office of General Counsel, the Director of Risk Management and the Director of Internal Audit.

Coordinate compliance functions in a manner similar to the Office of Internal Audit.

Have similar access to, and a reporting relationship with the Board, as does the Internal Auditor.

5

Coordination of Compliance, Legal, Audit, and General Counsel

• Governance• Internal Control• Provide Direction• Regulatory Burden• Velocity of Failure

6

4

Governance“… the policies, processes, structures, and controls used within an organization by all involved to achieve its objectives in an ethical manner.”

-- Institute of Internal Auditors

7

Governance

“…the constellation of policies, procedures, and decision making units that control [a university]…”

--The Redesign of Governance in Higher Education

Rand Institute on Education and Training

8

5

Governance

“An organization such as a university is largely dependent on the exchange relationships that it is involved in…”

--Government Policies and Organizational Change in Higher EducationAse Gornitzka

9

Internal Control

Achievement of objectives regarding

Reliability of financial reportingEffectiveness and efficiency Compliance with laws and regulations

-- COSO Internal Control Framework

10

6

11

“If we could first know where we are, and whither we are tending, we could then better judge what to do, and how to do it.”

Abraham Lincoln (House Divided Speech)

Heuristic Model

12

7

Where Will It End?

13

14

8

Where Will It End?

15

LANDSCAPE

CHANGE inIncreasing Regulation

Increasing Regulator Audits-- Tax-- Clery Act-- ICE-- EPA

Increasing Expectation by Constituents Increasing Risk Velocity of Failure

16

9

The Compliance Officer’s Role1. Be involved in establishing the strategy

for compliance

2. Be familiar with the expectations for compliance

3. Help ensure integration of internal audit, compliance, the General Counsel, and Environmental Health and Safety

17

Steps to Managing the Burden

Identify the key players

Build an effective coordination structure

Ensure coordinated efforts impact compliance risks

18

10

“In organizations, real power and energy is generated through relationships. The patterns of relationships and the capacities to form them are more important than tasks, functions, roles, and positions.”

‐Margaret Wheatley

19

Compliance Partners

20

11

79% General Counsel

32% Compliance

65% Internal Audit

77% Environmental Health & Safety

(Risk Management)21

Value of Coordination

“The challenge decentralized organizations face is finding a way to leverage the knowledge possessed by the departments and disseminate that knowledge to the remainder of the institution.”

Patrick H. Dunkley (Stanford University)

22

12

23

Compliance Coordination

No Coordination

Ad HocCoordination

Formal Coordination

24

13

No Coordination

Have some compliance structureAssumed Responsibility

VP-Student Life assumes responsibility for crime statistics reporting. Financial Aid Department assumes responsibility for federal disclosures

No formal coordinating structure

25

Ad Hoc Coordination

“Silos of compliance”Report compliance issues up through their chain of commandNo regular means for coordinating compliance issues May coordinate efforts where executive management sees the need (H1N1)

26

14

Ad Hoc Coordination

Unreliable – may work for one issue and not all for anotherDifficult to demonstrate compliance with FSG elements Hampers integration of legal, audit, compliance, and risk management functions

27

Formal-Integrated Compliance Coordination

Compliance partners in regular contactFormal agendaProcesses for identifying and addressing issuesMonitoring to ensure risks are addressed.

28

15

29

Compliance Coordinator Senior-Level Compliance Team

Value of Coordination

30

16

31

Helpline / Hotline

Of those who have a compliance hotline, who operates the hotline?

Internal

EthicsPoint

The Network

10%

37%

53%

32

17

President

VP

OGC

Board of Regents45%

27%18%

9%

Board of Regents

VP

President

A/C Comm

59%17%

21%

3%

INTERNAL AUDIT

COMPLIANCE

REPORTING STRUCTURES

33

Compliance Officer

Institutional Compliance Committee

Campus Compliance Coordinators

Area

Functional

Area Compliance Committees

FERPAHIPPAInformation Security/PrivacyIRBIACUC

Effective Coordination

34

18

Coordination / Communication

“… take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, 

to the [institution’s employees] by 

conducting effective training 

programs and otherwise dissemina‐

ting information appropriate to 

such individuals' respective roles 

and responsibilities.”35

Build a RelationshipRegular group meetings

Annual update meeting with compliance partners

Monthly compliance newsletter.

Summaries of specific laws for university community use

Facilitate training sessions and webinars

36

19

General Counsel

Internal Audit

Compliance

EH&S

Institutional Compliance Committee

Athletics Compliance Committee

Information Security and Privacy Committee

PCI/Banking Security Committee

Institutional Review Board

Athletic Compliance Coordinator

Financial Aid Coordinator

Research Compliance Coordinator

Life Sciences Compliance Coordinator

HIPAACoordinator

FERPA Coordinator

Compliance Planning Group

37

don’t create a . . .

. . . create a team

38

20

Integrating Audit, Compliance, Risk Management, and General Counsel

David GallowayExecutive Director – Office of Compliance and Audit

Brigham Young University

39