Deena King (dking16@twu.edu) is Director of Compliance at Texas Woman’s University in Denton, Texas.
In the September 2017 issue of Compliance & Ethics Professional magazine, Kenneth Liddle gave us an excellent 6-month road map for starting a higher education compliance program.[1] His article contains a solid approach for starting, or re-starting, a compliance program at any higher education institution by focusing on vision, culture, and risk. Nevertheless, as he mentioned in the first paragraphs, there are many ways to approach compliance.
This article will propose a 12-month road map. In my view, the more road maps the better. All these strategies become a cafeteria of options that allow compliance leaders to pick and choose what will work best for them. As Liddle pointed out, the ultimate goal should be excellent compliance coverage based on risk.
Although the approach described below has some similarities to Liddle’s recommendations, it is different. In the end, it is just another systematic way to reach the same goal.
Four tools
To set a context, it must be noted that this road map is influenced by four best practice tools. Below is a brief discussion of each tool.
Tool 1: COSO
My background in internal audit taught me that the elements of internal control play an important role in compliance and that internal controls are implemented in three dimensions. The source of this view comes from the Committee of Sponsoring Organizations’ (COSO) Internal Control — Integrated Framework.[2] This is sometimes called the “COSO Cube” (see figure 1).
©2013, Committee of Sponsoring Organizations of the Treadway Commission (COSO). Used by permission.
The overall goal of the COSO framework is to improve organizational performance and governance. If you review the face of the cube, you will see there are five principles presented. These principles align with the “seven elements” (Tool 2, discussed below). The top of the cube represents the primary objectives of an organization with compliance being a key objective. The side of the cube represents, from front to back, the hierarchy of a typical organization. This indicates that organizations need to address all the principles on the face of the cube and on the top of the cube at the entity, division, operational, and functional levels.
Tool 2: The Federal Sentencing Guidelines
The framework my university adopted comes from Compliance in One Page,[3] a framework based on the “seven elements” of the U.S. Federal Sentencing Guidelines (FSG) on Effective Compliance Programs.[4] These activities are regularly promoted as the essential building blocks of institutional compliance and are part of Liddle’s Tier 1 risk review.
Compliance in One Page reorganized the seven elements and added an eighth in order to: (1) address the fact that almost all functions in any business are built on processes, (2) group similar elements together, and (3) align each step with the COSO Integrated Framework Principles (discussed above). Below is an outline of this approach.
| Step | FSG Citation |
|---|---|
| 1. Identify Requirements/Risk | §8B2.1.c |
| 2. Establish a Compliance Organization | §8B2.1.b.2.A-C |
| 3. Establish Policies and Procedures | §8B2.1.b.1 |
| 4. Communicate/Train | §8B2.1.b.4.A&B |
| 5. Implement/Promote | §8B2.1.a |
| 6. Monitor/Audit | §8B2.1.b.5.A-B |
| 7. Change/Improve | §8B2.1.b.7 |
| Element | FSG Citation |
| 8. Leadership/Corporate Culture | §8B2.1.a.1&2 |
Tool 3: The Institute of Internal Auditors Three Lines of Defense Model
The Institute of Internal Auditor’s (IIA) Three Lines of Defense Model[6] is similar to the side of the COSO Cube, from the back moving forward, but also addresses elements on the top and the face. According to the IIA, these three lines are:
-
First line, operational management: Responsible for maintaining effective internal controls operationally on a day-to-day basis.
-
Second line, risk management and compliance functions: Facilitate and monitor the implementation of effective risk management and compliance practices.
-
Third line, internal audit: Provide the governing body and senior management with comprehensive, independent, and objective assurance.
In some ways, this is similar to Liddle’s three-tiered approach.
This discussion views subject-specific compliance programs, such as privacy, Title IX, minor protection, and campus safety, as “first line” and the institutional compliance program as “second line” (see figure 3).
Tool 4: The Higher Education Compliance Alliance Compliance Matrix
Many university compliance programs are already aware that the Higher Education Compliance Alliance (HECA) maintains a summary of all relevant federal regulations that apply to higher education. The June 2017 release of the matrix includes 269 federal statutory summaries sorted into 36 different topics or compliance areas.[7]
I may be wrong, but from what I know, no other industry has a tool as powerful as this one — a list that summarized every federal law that applies to higher education. And it is updated regularly. This represents thousands of dollars’ worth of legal work! The General Counsel’s office at Catholic University also maintains a Campus Legal Information Clearinghouse (CLIC). This is another valuable inventory. The URL is http://counsel.cua.edu.
