Internal Audit

• Overview
• About Internal Audit
• Documents
• Information Security and IT Audit
• Resources, External Links
• Contact Information

Institutional Compliance Program

• Overview
• Compliance Initiative
• Offices and Officers
• Code of Conduct
• Committee Highlights
• Relevant Policies
• Compliance Helpline

STARS

• Overview
• STARS Help

Related Pages

• Business Affairs
• Office of the General Counsel
• Information Security Office

• Internal Audit & Institutional Compliance
• Institutional Compliance Program
• Compliance Initiative

Compliance Initiative

Background

A comprehensive institutional compliance program is one which integrates and coordinates all significant requirements with which the institution must comply by law, regulation, or other binding rule or agreement. Comprehensive organizational compliance programs are common in highly regulated industries, and have become less rare recently in higher education as a result of highly publicized instances of alleged non-compliance in such areas as Medicare billing (e.g., Corporate Integrity Agreement between the University of Pennsylvania and the U. S. Department of Justice).

In 1987, the Federal Sentencing Guidelines (FSG) provided one of the first "models" for organizational compliance programs. They recommended that federal judges give "credit" for reduced penalties to organizations found guilty of violations if they had previously developed "an effective program to prevent and detect violations of law." You may reference the current Federal Sentencing Guidelines provisions for effective organizational compliance programs in either HTML or PDF formats.

In 1998, in response to the Physicians At Teaching Hospitals (PATH) investigations at university teaching hospitals, corporate integrity models based on the FSG were developed by the Department of Health & Human Services (DHHS) Office of Inspector General (OIG) (See Federal Register, Vol 63, No 35). A December 2000 survey of 17 university Chief Financial Officers indicated that formal compliance programs had been or were being established at 10 of the universities; many of these programs were initiated as a result of adoption of one or more elements of the DHHS/OIG model within their medical centers. An article in recent issues of the journal of the National Association of College and University Business Officers (NACUBO) provides an overview of such programs (NACUBO The Compliance Umbrella).

All these models contain various components aimed at enhancing and ensuring institutional compliance, including:

• Establishing institutional expectations and codes of conduct
• Developing and effectively communicating policies and procedures
• Designating a formal compliance office with suitable administrative powers
• Implementing a program to monitor compliance
• Identifying and applying sanctions for intentional non-compliance

The Plan

Currently at Stanford, programs containing components such as those bulleted above have evolved in a number of specific compliance areas (e.g., Environmental Health and Safety, sexual harassment, NCAA rules, research administration), but there is no single point of contact. This document provides a plan to initiate development of a "matrix" compliance program which connects these individual components, coordinates their operations, and represents the University's institutional perspective, but at the same time avoids the creation of a new bureaucracy which could be perceived by the faculty as unhelpful. We call this a "matrix" framework, because its goal is to enhance compliance primarily through the actions of a decentralized matrix of University offices and officers, coordinated and assisted by a small central compliance function with a reporting relationship to the Stanford University Board of Trustees.

A Compliance Components page provides an overview of the "matrix," showing the compliance components we believe should be included (rows of the matrix), compliance areas (i.e., clusters of laws, regulations, contractual requirements) to be included (the 19 columns of the matrix), and suggested offices and individuals to be incorporated within the matrix (columns of the offices matrix).

Implementation Steps

1. CFO redesignates the Executive Director of Internal Audit as the Executive Director of Internal Audit and Institutional Compliance (the Executive Director). The Executive Director continues to report to the CFO, with a direct reporting relationship to the President and the Committee on Audit of the Board of Trustees.
2. Board of Trustees redesignates the Committee on Audit as the Committee on Audit and Compliance.
3. Executive Director of Internal Audit and Compliance is tasked with presentation of an annual institutional compliance report to the President, Cabinet, and Committee on Audit and Compliance.
4. President appoints a Compliance Coordinating Committee, staffed by the Executive Director, made up of the persons functionally responsible for compliance in the 19 "matrix" areas (currently appointed staff are indicated in the fourth column in the offices matrix, plus representatives of the General Counsel's Office, Risk Management, and the administrative deans from the schools). The primary purpose of this Committee will be to meet at least semiannually to do risk assessments and ensure that all members are knowledgeable about pertinent noncompliance risks deriving from sources external to the University or from any one of the other 19 areas. Committee members should also be responsible for consulting with and keeping the policy makers in the 19 areas (second column in the offices matrix) appraised of compliance issues within their areas.
5. The Executive Director initiates Compliance Program activities, including:

• Works with the Compliance Coordinating Committee to ensure that each cell of the "compliance matrix" (the matrix) contains appropriate policies and processes and that the existence of policies or processes in that area is documented.
• Promotes compliance awareness through "ethics initiatives," either University-wide, or in concert with the faculty and staff training programs of the offices in the compliance "matrix."
• Provides liaison with the Office of the General Counsel, the Office of University Communications, and other responsible offices in addressing incidents of alleged noncompliance that arise.
• Works through the Internal Audit function to both monitor compliance and assess the adequacy of compliance activities in each area of the matrix. Includes such information in the annual compliance report.
• Implements and publicizes a "Compliance Helpline" program, which Stanford employees who have concerns of any kind stemming from possible noncompliance can call to register their concerns, anonymously if desired. (This Helpline will be internally staffed. Call content will be documented and reviewed; calls pertaining to any of the 19 areas in the "matrix" will be forwarded to the responsible offices for handling, with later follow-up by the Director.)
• In cooperation with the Office of the General Counsel, develops a formal policy, and procedures, to protect University employees who make allegations of noncompliance.
• Networks with other university compliance officers throughout the nation to keep apprised of emerging compliance issues, share best practices, etc.
• Considers needed additions to the compliance matrix, if other important areas of compliance are identified, and keeps the matrix up-to-date, as Stanford's organization changes and new individuals assume roles of responsibility.
• Considers needed changes in the compliance program and brings them to Compliance Coordinating Committee for review and transmittal to the President.
• Secures necessary funding from the Provost to carry out the above activities.

Plan Powerpoint Presentation

Please see an online version of the presentation given by Steve Jung.