Search Stanford:
 

Internal Audit

• Overview
• About Internal Audit
• Documents
• Information Security & IT Audit
• Resources, External Links

Contact Information

Institutional Compliance Program

• Overview
• Compliance Initiative
• Offices and Officers
• Code of Conduct
• Committee Highlights
• Relevant Policies
• Compliance Helpline

STARS

• Overview
• STARS v9 Upgrade Information

Related Pages

• Business Affairs
• Office of the General Counsel
• Information Security Office

• Internal Audit & Institutional Compliance
• Implementation Plan for Institutional Compliance Program at Stanford

Implementation Plan for Institutional Compliance Program at Stanford

A "Matrix" Approach

Background

A comprehensive institutional compliance program is one which integrates and coordinates all significant requirements with which the institution must comply by law, regulation, or other binding rule or agreement. Comprehensive organizational compliance programs are common in highly regulated industries, and have become less rare recently in higher education as a result of highly publicized instances of alleged non-compliance in such areas as Medicare billing (e.g., Corporate Integrity Agreement between the University of Pennsylvania and the U. S. Department of Justice).

In 1987, the Federal Sentencing Guidelines (FSG) provided one of the first "models" for organizational compliance programs. They recommended that federal judges give "credit" for reduced penalties to organizations found guilty of violations if they had previously developed "an effective program to prevent and detect violations of law." Appendix A provides the definition of such a program from the FSG Section 8A1.2.

In 1998, in response to the Physicians At Teaching Hospitals (PATH) investigations at university teaching hospitals, corporate integrity models based on the FSG were developed by the Department of Health & Human Services (DHHS) Office of Inspector General (OIG) (http://www.dhhs.gov/progorg/oig/modcomp/hospital.pdf). A December 2000 survey of 17 university Chief Financial Officers indicated that formal compliance programs had been or were being established at 10 of the universities; many of these programs were initiated as a result of adoption of one or more elements of the DHHS/OIG model within their medical centers. An article in recent issues of the journal of the National Association of College and University Business Officers (NACUBO) provides an overview of such programs (Spring 2000 NACUBO journals at http://www.nacubo.org/website/members/bomag/00/01/compliance.html).

All these models contain various components aimed at enhancing and ensuring institutional compliance, including:

• Establishing institutional expectations and codes of conduct
• Developing and effectively communicating policies and procedures
• Designating a formal compliance office with suitable administrative powers
• Implementing a program to monitor compliance
• Identifying and applying sanctions for intentional non-compliance 

<top>

The Planned "Matrix" Framework for Stanford's Institutional Compliance Program

Currently at Stanford, programs containing components such as those bulleted above have evolved in a number of specific compliance areas (e.g., Environmental Health and Safety, sexual harassment, NCAA rules, research administration), but there is no single point of contact. This document provides a plan to initiate development of a "matrix" compliance program which connects these individual components, coordinates their operations, and represents the University's institutional perspective, but at the same time avoids the creation of a new bureaucracy which could be perceived by the faculty as unhelpful. We call this a "matrix" framework, because its goal is to enhance compliance primarily through the actions of a decentralized matrix of University offices and officers, coordinated and assisted by a small central compliance function with a reporting relationship to the Stanford University Board of Trustees.

Appendices B and C provide an overview of the "matrix," showing the compliance components we believe should be included (rows of Appendix B), compliance areas (i.e., clusters of laws, regulations, contractual requirements) to be included (the 18 columns of Appendix B), and suggested offices and individuals to be incorporated within the matrix (columns of Appendix C).

<top>

Planned Implementation Steps

1. CFO redesignates the Executive Director of Internal Audit as the Executive Director of Internal Audit and Institutional Compliance (the Executive Director). Director continues to report to the CFO, with a direct reporting relationship to the President and the Committee on Audit of the Board of Trustees.
2. Board of Trustees redesignates the Committee on Audit as the Committee on Audit and Compliance.
   
3. Executive Director of Internal Audit and Compliance is tasked with presentation of an annual institutional compliance report to the President, Cabinet, and the Committee on Audit and Compliance.
4. President appoints a Compliance Coordinating Committee, staffed by the Director, made up of the persons functionally responsible for compliance
   in the 19 "matrix" areas (currently presumed staff are indicated in the fourth column in Appendix C, plus representatives of the General
   Counsel's Office, Risk Management, and the administrative deans from the schools). The primary purpose of this Committee would be to meet at
   least semiannually to do risk assessments and ensure that all members are knowledgeable about pertinent noncompliance risks deriving from
   sources external to the University or from any one of the other 19 areas. Committee members would also be responsible for consulting with and
   keeping the policy makers in the 19 areas (second column in Appendix C) appraised of compliance issues within their areas.
5. Director initiates Compliance Program activities, including:

• Works with the Compliance Coordinating Committee to ensure that each cell of the "compliance matrix" (Appendix B) contains appropriate policies and processes and that the existence of policies or processes in that area is documented.
• Promotes compliance awareness through "ethics initiatives," either University-wide, or in concert with the faculty and staff training programs of the offices in the compliance "matrix."
• Provides liaison with the Office of the General Counsel, the Office of University Communications, and other responsible offices in addressing incidents of alleged noncompliance that arise.
• Works through the Internal Audit function to both monitor compliance and assess the adequacy of compliance activities in each area of the matrix. Includes such information in the annual compliance report.
• Implements and publicizes a "Compliance Help Line" program, which Stanford employees who have concerns of any kind stemming from possible noncompliance could call to register their concerns, anonymously if desired. (This help line could be internally staffed or could be contracted out to another organization--there are several which specialize in offering this service. Call content will be documented and reviewed; calls pertaining to any of the 16 areas in the "matrix" will be forwarded to the responsible offices for handling, with later follow-up by the Executive Director.)
• In cooperation with the Office of the General Counsel, develops a formal policy, and procedures, to protect University employees who make allegations of noncompliance.
• Networks with other university compliance officers throughout the nation to keep apprised of emerging compliance issues, share best practices, etc.
• Considers needed additions to the compliance matrix, if other important areas of compliance are identified, and keeps the matrix up-to-date, as Stanford's organization changes and new individuals assume roles of responsibility.
• Considers needed changes in the compliance program and brings them to Compliance Oversight Committee for review and transmittal to the President.
• Secures necessary funding from the Provost to carry out the above activities.

<top>

Appendix A

Excerpt from Federal Sentencing Guidelines

§8A1.2. Application Instructions - Organizations
(k) An "effective program to prevent and detect violations of law" means a program that has been reasonably designed, implemented, and enforced so that it generally will be effective in preventing and detecting criminal conduct. Failure to prevent or detect the instant offense, by itself, does not mean that the program was not effective. The hallmark of an effective program to prevent and detect violations of law is that the organization exercised due diligence in seeking to prevent and detect criminal conduct by its employees and other agents. Due diligence requires at a minimum that the organization must have taken the following types of steps:

(1) The organization must have established compliance standards and procedures to be followed by its employees and other agents that are reasonably capable of reducing the prospect of criminal conduct.

(2) Specific individual(s) within high-level personnel of the organization must have been assigned overall responsibility to oversee compliance with such standards and procedures.

(3) The organization must have used due care not to delegate substantial discretionary authority to individuals whom the organization knew, or should have known through the exercise of due diligence, had a propensity to engage in illegal activities.

(4) The organization must have taken steps to communicate effectively its standards and procedures to all employees and other agents, e.g., by requiring participation in training programs or by disseminating publications that explain in a practical manner what is required.

(5) The organization must have taken reasonable steps to achieve compliance with its standards, e.g., by utilizing monitoring and auditing systems reasonably designed to detect criminal conduct by its employees and other agents and by having in place and publicizing a reporting system whereby employees and other agents could report criminal conduct by others within the organization without fear of retribution.

(6) The standards must have been consistently enforced through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense. Adequate discipline of individuals responsible for an offense is a necessary component of enforcement; however, the form of discipline that will be appropriate will be case specific.

(7) After an offense has been detected, the organization must have taken all reasonable steps to respond appropriately to the offense and to prevent further similar offenses -- including any necessary modifications to its program to prevent and detect violations of law. The precise actions necessary for an effective program to prevent and detect violations of law will depend upon a number of factors. Among the relevant factors are:

(i) Size of the organization -- The requisite degree of formality of a program to prevent and detect violations of law will vary with the size of the organization: the larger the organization, the more formal the program typically should be. A larger organization generally should have established written policies defining the standards and procedures to be followed by its employees and other agents.

(ii) Likelihood that certain offenses may occur because of the nature of its business -- If because of the nature of an organization's business there is a substantial risk that certain types of offenses may occur, management must have taken steps to prevent and detect those types of offenses. For example, if an organization handles toxic substances, it must have established standards and procedures designed to ensure that those substances are properly handled at all times. If an organization employs sales personnel who have flexibility in setting prices, it must have established standards and procedures designed to prevent and detect price-fixing. If an organization employs sales personnel who have flexibility to represent the material characteristics of a product, it must have established standards and procedures designed to prevent fraud.

(iii) Prior history of the organization -- An organization's prior history may indicate types of offenses that it should have taken actions to prevent. Recurrence of misconduct similar to that which an organization has previously committed casts doubt on whether it took all reasonable steps to prevent such misconduct.

An organization's failure to incorporate and follow applicable industry practice or the standards called for by any applicable governmental regulation weighs against a finding of an effective program to prevent and detect violations of law.

Historical Note: Effective November 1, 1991.

<top>

Appendix B

Compliance Matrix: Components of Stanford Institutional Compliance Program and Compliance Areas

An overview of the "matrix," showing the compliance components (action steps) we believe should be included, and the compliance areas (i.e., clusters of laws, regulations, contractual requirements) to be incorporated within the matrix.

<top>

Appendix C

Stanford University Offices / Officers Presumed Responsible for Compliance Areas

An overview of the "matrix," showing the compliance areas we believe should be included (i.e., clusters of laws, regulations, contractual requirements), and suggested offices and individuals to be incorporated within the compliance program.

<top>