NACUBO Logo National Association of College and University Business Officers The Compliance Umbrella
Membership and Community Business Topics Government Relations Research Bookstore Career Heaquarters Professional Development News and Updates About NACUBO
 

My NACUBO
Join NACUBO
Login

Site Map
Contact Us
Home > News & Updates > Business Officer Magazine > Business Officer Magazine Back Issues > 2000 > January > The Compliance Umbrella

The Compliance Umbrella

Print Version

January 2000

By Barbara E. Walsh, James A. Moran, and Gerald J. McDougall

Presidents, vice-presidents, deans, chairs, and directors of colleges and universities are responsible for the institution’s compliance with diverse governmental regulations, policies and procedures, and contractual obligations. The spectrum of control at colleges and universities can span from an environment of accountability to one of laxity; from practices that lead to organizational integrity on one hand to whistleblower lawsuits and fines on the other.

Whistleblower, or qui tam lawsuits, once found primarily in the U.S. Department of Defense contracting environment, have now become common in the health care industry, and are becoming a serious problem at colleges and universities. Settlements of False Claims Act suits at the University of Minnesota and New York University (NYU) have cost these universities millions of dollars and created negative public relations. Further, they have resulted in costly administrative requirements, such as additional external audits with reporting directly to the government.

In a recent settlement of a qui tam suit at Brewton Parker College, the institution settled for $4 million, according to an article in the May 29, 1998 Chronicle of Higher Education. This suit alleged that financial aid had been improperly awarded to students, mostly athletes. In qui tam suits the whistleblower receives part of the settlement personally––in this case the woman who brought the suit gave most of her portion of the settlement to students who were improperly denied aid. In another example of a qui tam settlement, New York University agreed to pay $15.5 million in April 1997 (see April 18, 1997, Chronicle of Higher Education). The allegations of the qui tam suit included voluntary cost sharing inappropriately omitted from the indirect cost base, and double-billing of costs in multiple indirect cost rates. The relator, a former employee, received $1.5 million. It should be noted that in the settlement agreement, NYU denied any wrongdoing or liability.

Trends

Qui tam suits are not the only frightening trend. Headlines also point out the temporary suspension of human subject research at Duke over regulatory compliance issues. Front page headlines in the May 9, 1999, Cincinnati Enquirer expressed concerns about compliance with informed consent requirements in mental health research at the University of Cincinnati. The front page of the August 15, 1997, Wall Street Journal showed the arrest and jailing of two faculty at the Medical College of Georgia for theft of university funds on clinical trials research.

Boards are becoming familiar with the landmark Caremark International decision (698 A.2d 959) ,which held that boards were responsible for putting in place reporting mechanisms that would assure their awareness of any misconduct or other compliance issues. The Delaware court wrote, “. . . a director’s obligation includes a duty to attempt in good faith to assure that a[n] [organizational] information and reporting system exists . . . reasonably designed to provide senior management and the board itself, timely accurate information. . . to reach informed judgements concerning the [organization’s] compliance with the law.”

Managers know, believe (or hope) that “someone, somewhere” is taking care of compliance with all the various regulatory requirements laid upon the institution as a recipient of federal funds or as a major employer. Institutions have multiple missions, resulting in a multiplicity of related regulations. In addition to the traditional missions of teaching, research, clinical activities, and community service, institutions may be operating a golf course, an airport, a radio station, or a retail mall.

In running these many businesses, higher education executives have the traditional tools of internal and external audit to support them. In the current environment of increasing oversight, combined with the danger of internal whistleblowers, higher education executives and managers need improved tools to extend themselves proactively into the organization. This means setting standards, and then assessing and correcting behaviors as necessary to uphold those standards.

The tool suggested by the regulators and courts is an ethics and compliance program along the lines of the description of an “effective program” outlined in the Federal Sentencing Guidelines. In settlements of False Claims Act suits, Physicians at Teaching Hospitals (PATH) audits, and other government settlements, programs of this type are mandated. They can be more effectively implemented if created proactively and voluntarily. Voluntarily implemented programs demonstrate that institutional executives have made compliance a priority. In addition, programs implemented pursuant to Corporate Integrity Agreements or other settlement terms frequently include expensive external audits reporting directly to the regulators. Further, the costs of the program typically cannot be incorporated in cost billing rates to the government.

Many college and university managers want to aggressively protect the reputation of their institution. They want to discover problems and correct them, setting a high ethical tone “at the top.” Finally, they want to find ways to reduce their risks of adverse audit findings, and whistleblower suits by implementing compliance programs for their clinical, academic, and/or research operations.

A Model Program for Higher Education

Tasked to develop programs for our institutions, we looked at three existing models (shown in Table 1) for ethics and compliance programs in other institutions: Defense Industry Initiative (DII) Principles (the basis for business ethics and compliance programs for Department of Defense contractors); Federal Sentencing Guidelines criteria for effective programs; and Model Compliance Program for Hospitals.

A study of these models led us to distill the following common basic elements of an ethics and compliance program for application in higher education as follows:

  • the identification of a compliance officer with an appropriate reporting structure and advisory or governing bodies;
  • development of a written code of ethics and code of business conduct, standards, and procedures;
  • employee training;
  • establishment of an independent reporting mechanism;
  • monitoring and risk assessment to proactively identify risk areas; and
  • corrective action including appropriate enforcement and discipline.

We believe these are the essential building blocks of an effective program, and designed an implementation model program specifically for the higher education environment.

The compliance officer or director provides leadership and guidance for the implementation of the compliance program and is a champion for ethics and compliance activities. The compliance officer does not actually take personal responsibility for managing all the areas of compliance. He or she puts certain structures in place. This will help assure management that all necessary compliance responsibilities have been identified and appropriately assigned to someone within the organization; that these responsibilities are known to the individuals involved, with the effective procedures and structures in place; that appropriate levels of awareness and expertise in the regulatory requirements are supported by training in each area; that regulatory responsibilities are monitored and are met; and that corrective action is taken where any gaps or problems arise.

Our attempt to develop a compendium of all federal laws and regulations normally applicable to colleges and universities resulted in an 85-page book. From this, we learned that a strategic approach is critical. At larger institutions, it may be helpful to have several subject area compliance directors focused on the risks that are specific to a particular area––especially for large research centers, or institutions with major research operations.

Step1. Selection of the Compliance Officer

The first step in creating a compliance program is the selection of the compliance officer or director(s), and the identification of the appropriate reporting relationships, as well as guidance, governance, or advisory bodies to participate in the program. The steps are detailed as follows:

First, decide if it is better to select someone from within the organization or to hire someone with compliance program expertise. Either decision has merit, and either solution can work. The big advantage of an internal candidate is that he or she knows, and is known by, many of the employees. The person selected should be fair and highly ethical. The internal candidate will have a head start on much of the diagnostic work, already knowing many of the strengths and weaknesses of the organization, as well as how to communicate most effectively through the organizational structure. The external candidate may bring more extensive educational or work experience to the table. You can advertise for an experienced ethics and compliance officer from another industry, or hire someone with subject area expertise, such as an attorney with experience in labor, contract, health care law, or other areas of law relevant to your institution. The external candidate also brings fresh eyes to see problems that the internal candidate may miss due to cultural or long-standing working environment conditions.

If a good internal candidate is not available, then select an external candidate with experience in developing compliance programs. The compliance officer must be someone who can be trusted with secrets, and who can influence the members of your campus community––including the faculty––to change their behavior. The person also must be an excellent listener and communicator.

There is a training component to the position. Much of the compliance officer’s day is spent explaining the rules and procedures to others, mostly in response to questions or concerns. Also, the Federal Sentencing Guidelines require that the individual be highly placed in the organization, so the institution should select someone whom it is willing to include in the highest levels of management.

Secondary to these considerations is technical knowledge in at least some of the regulations, from the research compliance, cost or financial, human resources, legal, or audit areas. These technical skills can also be enlisted as support to the lead person. No compliance officer starts with complete subject area expertise.

Step 2. Determining Appropriate Reporting Relationships

Where should the compliance officer or director report? There are as many answers as there are institutions. The corporate model is a vice president or director who reports directly to the CEO or COO with a dotted reporting line to the board, usually via the audit committee. This satisfies the Federal Sentencing Guidelines requirement for access to the highest levels of management, and demonstrates management’s commitment to the high priority of compliance.

Current compliance officer reporting structures are varied. One model is to have the compliance director reporting to the provost, operating a program addressing academic, research, student, and all other issues.

This reporting relationship sends a strong message that the program has the support of top management, with the required high level access. Dotted line reporting to the audit committee of the board (or to internal audit) would probably be recommended by peer ethics officers in industry. Other alternatives for a single institutional program is to house them in internal audit or in the office of the legal counsel.

Compliance officers in industry frequently are lawyers, so housing the office in legal affairs sometimes appears a logical placement, but it can create problems. The primary concern about having a compliance officer report to the internal audit or legal functions is perception by the institutional community. The compliance officer is usually the person with whom individuals discuss their concerns. Often, individuals may fear or may have had negative experiences with auditors and lawyers, and may not feel that these individuals could be sympathetic or care about them. More important, faculty may not have sufficient respect for a support staff employee to understand that the compliance office is a high priority to the president and provost. Finally, this reporting relationship may not provide sufficient high-level access for the director of compliance. Although the dotted line relationship that internal audit usually has to the board could be seen as satisfying that relationship, actual day-to-day access to top management is critical to the work of the compliance director.

Another alternative structure for a large research institution would place an institutional compliance director associated with the senior business officer, and identify a separate research compliance officer or director to address the many and varied compliance responsibilities associated with sponsored research.

This individual would report to the research vice president, but with dotted lines between the two compliance directors. This structure can be very effective, as the compliance directors can share resources and information, while developing specific programs based on their more detailed expertise in their dedicated areas. This allows major risk areas in research and academic affairs to be addressed simultaneously in a very focused manner, and allows each community to have someone with a special knowledge of their issues. It would also allow the selection of a compliance director known to the faculty and staff in each community to facilitate trust and confidence.

Alternatively, academic medical centers, or institutions with large soft money research organizations, such as Federally Funded Research and Development Centers (FFRDCs) or University Affiliated Research Centers (UARCs), may already have a compliance program on the campus at the medical or research organization. Several structural options are being attempted for enlarging these programs out to the rest of the organization. One option adds a compliance director or directors for research and academic activities, and has them report in a dotted line to the same oversight committee as the hospital billing compliance or research center program. This requires changing that committee’s charge, and possibly its membership, to reflect an overall institutional oversight role. The compliance directors focus on the risks relevant to their particular area, but work together on overall initiatives and can share resources.

Another model for the complex major research institution is the creation of compliance directors and programs for each of the major units or activities of the institution, connected to each other, but informally. When elements of a large institution are governed by extensive regulations unique to that area, a subject area compliance director may be the best approach. Many large institutions have medical centers and/or medical schools, large soft money research centers, or substantial research enterprises.

Some laws and regulations apply across the board, and others are very discipline-specific. These expert subject area compliance professionals can develop programs targeted to the issues in their particular area, and combine forces when dealing with institutional solutions to overarching problems. Each would have his or her own program, and would coordinate with each other, serving on each other’s advisory or oversight committees.

In summary, when looking at an institution and trying to design the optimal compliance organization structure, we recommend considering the following:   

  • Who does this program need to reach?
  • Whose behavior will it be attempting to influence?
  • Who could effectively reach this target group and create change?
  • Should there be more than one office in order to maximize effectiveness?
  • Given the target group(s), where in the organization would the compliance director(s) receive the most effective executive management support?
  • Where do they need to be for the message to be clear that this is a top priority of management?

Step 3. Setting up the Structure - The Committee/Council

To support and provide input and feedback to the compliance officer, a compliance committee or council is needed. The Model Compliance Program for Hospitals refers to “other appropriate bodies, e.g., a corporate compliance committee.” At colleges and universities, this may be an actual board, governing the operation of the program. The committee or council can alternatively be established with a review and advisory role, rather than actual governance. Alternatively, the role of the compliance committee or compliance advisory council can be designed by the group itself. One of its first tasks can be the review of its draft roles and responsibilities definition, or charge. This group provides the extremely valuable opportunity to involve faculty, deans, chairs, directors, and high-level university administrators in the program. In addition, the compliance director’s work will involve teaming with subject area experts in human resources, finance, corporate counsel, internal audit, and with other institutional compliance directors. The review of program activities by this group provides feedback to the director on proposed initiatives, provides a review group for proposed policies and procedures, serves as a sounding board for problems and challenges, and gives input concerning the current concerns of the campus community. Serving as an important source of information and expertise, the group should be carefully selected, and should not be so large as to inhibit open discussion. We recommend a group of 6-to-12 total. The faculty and academic administrator representatives should be rotating positions, to be replaced after one or two years with  new representatives in order to continue to involve more of the institution in the program. Serving on the committee or council provides the best possible perspective on the need for the program and the value of its activities.

The group should meet regularly. Our experience suggests that every other month may be a reasonable schedule for normal operations of a proactive program. If the program has been established because of a current crisis, more frequent meetings will undoubtedly be necessary.

Step 4. The Underlying Documents – Codes of Ethics and Conduct, Roles and Responsibilities

With the human foundation in place, it’s now possible to create the conceptual foundation of the compliance program. There are two main thrusts, the definition of the program, with the related roles and responsibilities definitions, and the formal ethics and compliance statement of the institution itself. All the model programs call for a written code of ethics, written code of conduct, written standards, and compliance procedures.

Many institutions have parts of the foundation in place, so the first task is to assemble all the existing material, beginning with a search for written codes of ethics, including, for state institutions or units of systems, codes of ethics at the system or state level. Collect all employee handbooks, institutional mission statements, and look for values statements. The basic requirements––a written code of ethics and written code of conduct––may be already in place. If not, the elements for building them may be available.

A written code of ethics or values is important to provide an ethical framework for the compliance activities. A code of ethics should say something about the values of the organization, such as relating them to universal ethical principles, and then make some very general statements about behavior, i.e., “because we believe (or are) this, we act like this.” The following statement is an excerpt from the United Technologies’ Code of Ethics:

Our Employees

We are committed to treating one another fairly and to maintaining employment practices based on equal opportunity for all employees. We will respect each other’s privacy and treat each other with dignity and respect irrespective of age, race, color, sex, religion, or nationality. We are committed to providing safe and healthy working conditions and an atmosphere of open communication for all our employees.

A working group of faculty, academic and/or research administrators, and staff should be assembled to write the code of ethics. It is useful to collect and provide to the group examples of codes of ethics from similar organizations, from related professional bodies, and from respected national concerns. The working group will need to decide what voice it wants to write the code (we, you, or the employee). It appears that most organizations choose the we type of statement as a unifying theme. Other unifying themes can be an existing values statement or mission statement, which can be expanded or combined to provide a framework, or a graphic that is particularly meaningful, or an overall slogan or logo. Many examples of codes of ethics and values are available on the World Wide Web.

A code of ethics is often expanded into a code of conduct, which relates important policies and procedures into a short compliance handbook provided to all employees. This useful document provides the basis for overall training and orientation of new employees. Each of the most critical policies of the organization and the most important laws and regulations are reduced to a paragraph description, outlining the basics of the law, regulation, or policy, meeting the important compliance requirements. Often, examples, vignettes, or case studies are provided, and/or frequently asked questions about the particular area, to illustrate important points. These are most effective if they are versions of actual problems or issues from your institution.

Other key documents are a definition of the program and the roles and responsibilities policy. The definition of the program may be a formal mission statement, or it may be embodied in the job description of the compliance director, or in a memorandum of formal announcement of the new program to the community.

The vehicle is not important, but the communication to the campus is extremely crucial. One of the Federal Sentencing Guidelines requirements is that employees are aware of the program, so the existence of the program and the person to contact must be well publicized. Announcements in staff and faculty meetings, articles in newsletters, broadcast e-mail, Web sites, or videos are all useful tools for communicating the establishment of the program and its mission.

The roles and responsibilities policy will identify each set of compliance responsibilities to a particular person or group. It normally makes the powerful statement that each employee is responsible for questioning apparent variances from the code of conduct, or for reporting misconduct or violations of law of which they become aware. It then outlines the responsibilities of management, of executive management, of the compliance officer, of the compliance committee or council, and others as necessary.

Step 5. An Independent Reporting Mechanism – the Hotline/Helpline

All model programs require the establishment of an independent reporting mechanism, a means for employees to report anonymously about concerns or raise questions without fear of retaliation. Most organizations implement this requirement through the establishment of a “hotline” type telephone number. A number of decisions must be made about the establishment of an employee reporting mechanism. The first is to name your service. The issue of what to call the hotline matters significantly more than one might imagine. In December 1998, a study was performed and published by the Ethical Leadership Group, under commission by Sears to improve its reporting mechanisms. The study reported that the only thing that made a real difference in terms of calls per 1,000 employees were those companies with “Hot Lines,” “Alert,” and “Business Conduct Lines.” They had dramatically lower call volumes than companies with more friendly names like “Ethics Line,” “Help Line”, and “Assist Line.” The report indicates that Ethics Lines and Help Lines receive four to five times more calls, and Advice Lines or Assist Lines show an even greater increase. So, in naming your employee reporting mechanism, it is wise to think strategically about how to package this service to the employees.

Concerns reported must be investigated promptly. The institution’s risk is increased if an internal report of misconduct is made and no action is taken, or it is perceived that not enough was done about it. Many whistleblowers expressed their concerns to management first, but felt that the organization had ignored or not adequately addressed the matter reported. Procedures for the independent reporting mechanism should provide for careful documentation of all questions raised or concerns reported, a log of all calls, and a procedure for the handling of helpline calls. Many institutions already have in place reporting mechanisms for sexual harassment claims, to research misconduct concerns, or other issues.

The compliance helpline need not compete with these established mechanisms; it can, in fact, steer people to them if the individuals are willing to make a formal report that requires them to identify themselves. If they are unwilling to do so, the compliance helpline provides a means to inform the institution about the problem. It may be possible to address the issue with a general communication to the organization, with training, with suggestions of increased oversight by management, or with suggested transaction screening in a particular area.

Internal investigations can be performed by the compliance director after appropriate training, internal audit may be requested to assist, and/or your institution may request that someone from the legal department participate in some investigations. Here, it is critical to have a written procedure for internal investigations, including description of the investigation process, including the target timeframe for completion, and the process of resolution. Your institution may already have at least part of a model for this process embodied in its research misconduct policy and procedures.

Our experience suggests that the helpline is a very valuable tool for management in surfacing things so that they can be fixed––before they result in an external whistleblower or a government audit finding. The key is a management team who is willing to take action to address problems that surface through the helpline.

  Powered by Ingeniux		 © National Association of College and University Business Officers.
All rights reserved.