Compliance Process Skip to main content
Compliance

Compliance Process

The basic compliance process is identified in the accompanying graphic. In following this process, the objective of the compliance function is to help ensure that the institution has systems of internal control that adequately measure and manage the risks of compliance failure.1

Chart depicting the cycle of the compliance process including the following: identify requirement, understand requirement, plan implementation, implement, monitor to ensure compliance

Identify Requirements

Regardless of the compliance structure an institution builds, the real starting point for compliance is identifying the requirements, in the form of laws, regulations, contractual agreements, etc., that the institution is responsible to address.

Existing Laws and Regulations

Existing laws and regulations can be identified by a variety of methods including the following:

  • Meeting with constituents and discussing the laws and regulations of which they are aware and deal with regularly. For example, a meeting with the Dean of the School of Life Sciences might bring to light several laws and regulations that she/he is aware of including the Animal Welfare Act, Public Health Security and Bioterrorism Preparedness and Response Act, state laws associated with the use of cadavers, etc.
  • Soliciting concerns and perspectives from the Executive Compliance Committee.
  • Research on pertinent website including the Higher Education Compliance Alliance Compliance Matrix.

Emerging Laws

Emerging laws can be identified through subscriptions to various journals that focus on compliance issues in higher education such as the Chronicle of Higher Education.

Other important sources are professional associations such as the National Association of College and University Attorneys (NACUA) and the American Council on Education (ACE), and various law firms who provide free blogs and newsletters focused on higher education.

Understand the Requirements

Once you have identified the applicable law and/or regulations, your understanding should be memorialized in a research memo that provides a basic summary of the law, its requirements, and how to access the law and its related regulations. This document provides several advantages:

  1. Provide a document to store and memorialize your research into the requirements and your understanding of them.
  2. Provide a means by which the General Counsel can review and add to the understanding developed by the compliance office.
  3. Provide a resource to develop training materials, where needed, for the organization.
  4. Provide a repository for tools and information related to the specific area of the law addressed in the research memo.
  5. Provide the foundation for the development of a compliance assessment tool to assess a particular area of the law.
  6. Provide a relatively succinct source of information for the university community to begin to understand the requirements of specific laws.

Once developed by the compliance office, the research memo should be reviewed for concurrence by the General Counsel.

Research memos should be maintained and updated on a regular basis.

Plan Implementation

Having created the research memo for a particular area of the law, the next step is to work with the institution’s managers to identify where the law applies, how it applies, and what standards the institution will use to ensure compliance with the law. This process may involve developing draft policy documents or procedures that need to be reviewed by personnel directly involved in the affected processes; or, it may involve a discussion with the Executive Compliance Committee to see how they feel the compliance effort should be approached. Perhaps a temporary committee will need to be formed to develop the required policies and procedures, or perhaps a standing committee will be required to not only develop the standards but to provide on-going oversight and monitoring.

The Compliance, Risk Management, and General Counsel offices should work together to develop a strategy and plan for implementing the processes, procedures, and policies necessary to ensure compliance.

Implement

Once the standards, policies and procedures necessary to ensure implementation of the standards have been developed and approved, they will need to be communicated and implemented.

Ideally, these policies and procedures would be approved initially by the Executive Compliance Committee for sufficiency in relation to the requirements of the law, and then by the functional management chain.

Thought should be given to how the new legal requirements and associated policies and procedures are communicated to those at the institution responsible for complying with the requirements. For simple issues, email or face-to-face communications may be sufficient. For more complex issues, discussions in staff meetings, presentations, or even workshops may be necessary to communicate the requirements and address the questions and issues that workers may have.

Training provided should be documented.

Areas of the law that are sufficiently complex may need to have a formal compliance program document developed to provide more formal and on-going control over the program.

Ultimately, implementing the policies and procedures is the responsibility of management and their employees. The compliance function may provide help with action plans, may facilitate process improvement teams, or provide other tools to assist management in implementing new processes.

Monitor to Ensure Effectiveness

A key responsibility of the compliance office is to ensure the compliance program as developed and implemented is monitored regularly to ensure it meets the established requirements.

The Federal Sentencing Guidelines requires that “[t]he organization shall take reasonable steps – (a) to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct; (b) to evaluate periodically the effectiveness of the organization’s compliance and ethic program.2

Monitoring can, and ideally should, take several forms as follows:

Entity-Level Monitoring

The department(s) responsible for complying with the requirements should have its own monitoring program, including the identification and documentation of key processes and controls, tools to evaluate the controls, and periodic evaluations and corrective actions. Characteristics of an entity-level monitoring program include the following:

  • Is conducted by operations personnel,
  • Uses tools that may be provided by compliance or internal audit,
  • Involves on-going checking and measuring, and
  • Is typically completed by department staff and communicated to department management.

Compliance Monitoring Program

The compliance office should periodically conduct monitoring assessments, ideally in concert with employees of the functions being assessed, to evaluate their compliance with the requirements. Although similar in some respects to an audit, the compliance monitoring program generally has the following characteristics:

  • Often less structured than auditing, though audit techniques may be employed;
  • Usually completed in concert with operations personnel;
  • Can be periodic spot checks, daily/weekly/monthly tests;
  • May identify the need for an audit;
  • Accountability for monitoring is typically to operations leadership;
  • If completed in relation to a compliance work plan, formal communication to Chief Compliance
  • Officer and Compliance Committee; and,
  • May involve internal audit.

Audit

As noted above, the FSG expects both monitoring and auditing to be characteristics of an effective compliance program. Audits are differentiated from the monitoring process primarily by independence. Characteristics of audits include the following:

  • Formal review governed by professional standards;
  • Completed by professionals independent of the operation;
  • Formal, systematic and structured approach;
  • Involves planning, sampling, testing, and validating;
  • Formal communication with recommendations and corrective action measures;
  • Documented follow-up of corrective actions;
  • Audit accountability is typically to the Chief Audit Executive and the Audit Committee; and,
  • Generally involves routine, formal communication to the Board and Management.

To support the monitoring plan, the compliance function should establish and maintain a compliance risk assessment process for identifying and addressing the university’s compliance risks and that accomplishes the following:

  • The conduct of a regular program of compliance assessments to assess the adequacy of the institution’s compliance with legal, regulatory and policy requirements.
  • Facilitate compliance self-assessments by business units so they can assess the adequacy of their compliance with legal, regulatory, and policy requirements.
  • Effectively determines the internal controls, oversight, and mitigation efforts applied to the compliance risks.
  • Provides a risk inventory that itemizes the above and tracks the status of improvement and maintenance efforts.

Roles of the Compliance Function

In implementing the compliance process, the Compliance function may assist is several ways as follows:

1. Advisory

In concert with the General Counsel, the compliance function provides advice to business units regarding current and emerging regulatory requirements and the processes and policies necessary to ensure compliance with them. This role includes keeping business units apprised of regulatory developments and university policy changes, and responding to questions regarding the adequacy of internal controls designed to ensure compliance. In their advisory capacity, the compliance function may promote the establishment of an ad hoc team of appropriate stakeholders to address particular compliance issues and recommend university structures and policy. They might also work with a business unit to revise a business process to ensure it has adequate internal controls, including monitoring programs, to help ensure compliance. The compliance function may develop various tools and forms of communication to keep employees aware of new and changing requirements and may assist compliance coordinators in developing effective compliance programs in specific areas such as Title IX/Sexual Abuse, Minor Protection, Copyright Compliance, etc.

2. Policies and Procedures

Because institution policies and procedures are integral to the compliance program of the institution and are a key component of the FSG requirements for effective compliance programs, compliance functions often manage the policy and procedure development process including helping to develop policies and procedures to address specific laws and regulations and periodically updating existing policies and procedures to address emerging or changing regulations.

3. Education/Training

Compliance functions often conduct training and education programs to keep business unit personnel apprised of policies, procedures, and regulatory events that affect them and to ensure compliance with training requirements imposed by regulatory bodies. These training sessions may be regularly scheduled sessions for large numbers of employees, or specific one-on-one or individual unit training, as needed.

4. Internal Inquiries and Investigations

In concert with the General Counsel and other organizations (e.g., University Police) the compliance function may conduct internal inquiries and investigations into possible violations of legal, regulatory, and policy requirements. The goal of such investigations is to recommend any needed changes to the system of internal control to help ensure that compliance failures are not repeated.

5. Regulatory Examinations/Investigations

As appropriate, in coordination with the General Counsel, the compliance function may handle and respond to regulatory inquiries and examinations.

6. Promoting a Culture of Compliance

The FSG establishes the expectation that an effective compliance program “promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”This typically translates into working with executive management to help establish a productive “tone at the top” that demonstrates that compliance is a crucial institutional value. This effort includes the interface of the compliance function with executive management in executive compliance committees and other committees where compliance is a principal issue. It also contemplates the coordination effort between the compliance function, General Counsel, Internal Audit, and the Risk Management or Environmental Health and Safety functions.

Conclusion

The 5-Step Compliance Process provides a useful model for understanding and evaluating the effectiveness of our overall university compliance program. To be effective the university must identify and understand the compliance requirements it faces, plan to address these requirements and effectively implement its plans, and monitor its success in achieving its compliance goals. To accomplish these steps requires a concerted effort by members of the institution from the Board of Trustees through executive and middle management to individual employees to ensure the university develops and maintains a culture of compliance.

1The Sentencing Commission mitigated the potential fine range - in some cases up to 95 percent - if an organization can demonstrate that it had put in place an effective compliance program during the time that a compliance failure occurred. (See An Overview of the Organizational Guidelines, Paula Desio, Deputy General Counsel, United States Sentencing Commission – last accessed 1/19/2016).
2U.S. Federal Sentencing Guidelines, (2018) §8B2.1(b)(5)
3 U. S. Federal Sentencing Guidelines Manual (2014), §8B2.1(2).