COMPLIANCE AND REGULATION MANAGEMENT REVIEW

MEMO

BACKGROUND

As a private, higher education institution, University A is subject to various laws and regulations. Compliance with
these regulations requires a sound compliance and regulatory management function. The risk management office
currently monitors and tracks applicable regulatory requirements, as well as the university’s compliance with these
requirements, via the online database Compliance Portal. The portal was implemented in 20XY to replace the
Lotus Notes Compliance Database. Compliance Portal allows departments to track compliance with certain
policies and regulations, as well as departmental milestones and important compliance deadlines. Regulatory
“owners” from each department work with the risk management office and general counsel to track compliance
with identified regulations. Regulations that affect the higher education industry include the following:
• Title IX/Clery Act – Title IX prohibits discrimination on the basis of sex in any federally funded education
program or activity. Additionally, private and public universities participating in federal student aid programs are
expected to comply with the Clery Act, requiring the disclosure of campus safety information and expected
requirements for handling incidents of sexual violence and emergency situations.
• Student Right to Know Act – Institutions that participate in any student financial assistance program under
Title IV of the Higher Education Act of 1965 (as amended) are required to disclose information about
graduation rates to current and prospective students.
• NCAA (National Collegiate Athletic Association) Regulations – The university or boosters of university
athletics violate NCAA regulations, which results in sanctions against athletic programs, loss of athletic
scholarships, forfeiture of athletic program victories and/or adverse public perception of the university’s athletic
programs.
• Equity in Athletics Disclosure Act – Requires co-educational institutions of post-secondary education that
participate in a Title IV federal student financial assistance program and have an intercollegiate athletic
program, to prepare an annual report to the department of education on athletic participation, staffing, and
revenues and expenses, by men's and women's teams.
• Higher Education Opportunity Act (HEOA) – The HEOA requires that institutions offering distance education
or correspondence courses/programs have processes in place to ensure that the student registering for a
course is the same student who participates in the course or receives course credit.
• Student Loan Default Prevention Initiative Act – Initiated in 1990, this act enforces institutions with high
default rates on student loans to be ineligible to participate in certain student loan programs.
• Title IV – Non-compliance with Title IV regulations puts the organization at risk of not being able to receive
financial aid funding at levels sufficient to operate the university.
• Family Education Rights and Privacy Act (FERPA) – All student education records are considered
confidential and ordinarily may not be released without written consent of the student. This is a federal law
(Family Education Rights and Privacy Act of 1974).

Non-compliance with regulations governing University A’s programs and operations puts it at risk of losing
licenses to operate and/or financial aid funding, as well as puts the university at risk of fines, penalties, sanctions
and reputational damage. As a continuation and refresh of the 20YY Compliance and Regulation Management
Review, internal audit (IA) will review the maturity of the university’s overall compliance program, including how
new requirements are identified, assessed and rolled out; roles and responsibilities; training and awareness; use
of the Compliance Database; and monitoring ongoing compliance and compliance posture.

Export control and the Foreign Corrupt Practices Act (FCPA) are additional regulatory requirements that affect
higher education but will not be included at a detailed level in this project, as those regulations are on the internal
audit plan for review as a separate project during the year.

1 Source: www.knowledgeleader.com
 OBJECTIVES

Our primary objectives are as follows:

• Determine whether policies and procedures exist and are adequate in identifying and monitoring compliance
with applicable laws and regulations.
• Conduct interviews with risk management and other relevant university management, and review existing
controls, procedures and training awareness used to identify and monitor applicable regulations and
compliance requirements to impacted areas.
• Determine the laws and regulations in which lack of compliance most greatly affects the university.
• Review the compliance processes and controls associated with the selected areas and review adherence to
university policies and procedures. Consider procedures around the monitoring and tracking of adherence to
applicable laws and regulations.
• Determine the status of internal audit’s recommendations delivered to the university as part of the 20YY
University Compliance and Regulation Management Review and verify if appropriate remediation procedures
have been implemented in response to these findings.
• Evaluate the overall compliance program and work with risk management and other relevant personnel to
develop appropriate recommendations for process and control improvements.

SCOPE

The scope of our engagement will include the review of policies, procedures and internal controls currently in
place within the university’s compliance regulation management function around the university’s regulatory and
compliance management process and use of the Compliance Portal.

APPROACH AND REPORTING

IA will perform the following:

• Hold discussions with risk management (and other applicable departments, including: general council,
athletics, financial aid, human resources, accreditation and program approval, and office of campus life).
• Review existing policies, procedures and training to verify they are adequate to address regulatory
requirements.
• Review current compliance processes and controls to verify adherence to university policies. Consider
procedures around monitoring and tracking of compliance to applicable laws and regulations.
• Review best practices regarding methodologies for managing compliance with higher education regulations.
• Identify process and control enhancement opportunities (including those related to policies).
• Review and validate findings with process owners.
• Work with university management to develop appropriate recommendations for improvement opportunities.

At the conclusion of the review, we will provide management with a report that summarizes project objectives,
scope and approach, procedures performed, process background, observations, and recommendations.

SPECIALIST COORDINATION

University A’s internal audit team will include the following specialists throughout the execution of this project:
• Internal Audit and Quality Assurance – Person D, Associate Director

2 Source: www.knowledgeleader.com
• Internal Audit (IT) and Data Analysis – Person C, Managing Director

IDENTIFICATION OF FRAUD RISK

We will consider the likelihood of fraud risk, as well as identify any potential improvements to prevent and/or
detect fraud as it relates to the specific processes included within this review. Should any potential indicators of
fraud be discovered, the project sponsor will be notified immediately to discuss next steps.

SUPERVISION AND REVIEW OF WORK PAPERS

All work performed by internal audit seniors and consultants will be reviewed by internal audit management before
being turned over to University A. Internal audit management will capture review comments either in an electronic
file or directly on hardcopy. All final reviewed deliverables will be updated and maintained on-site in hard copy
form and electronically on either internal audit’s client/project SharePoint site or in University A’s audit portal.

In addition, it will be the responsibility of internal audit management and the internal audit team to determine when
to involve the managing director. At a minimum, a member of the project management team (listed above under
Specialist Coordination) will participate in internal audit-facilitated update meetings and presentations to discuss
any identified exceptions or observations as well as project status, progress and other administrative matters.

The internal audit and quality assurance lead will not sign off on each individual test performed but will review, at
minimum, the consolidated listing of observations and exceptions.

TIMING & LOGISTICS

Commencement of fieldwork: March 20XX

Conclusion of fieldwork: April 20XX

The fieldwork is planned to be performed primarily by a consultant and senior consultant with review and
oversight to be provided by the manager, person E and associate director, person D.

BUDGET

It is estimated that the compliance and regulation management review will be completed in approximately XX
hours with an anticipated staffing mix per the breakdown below. Should the scope of our project change, we will
modify our estimates accordingly and notify university management immediately.

PLANNING

Level Hours

Managing Director X

Associate Director X

Manager X

Senior Consultant X

Total X

3 Source: www.knowledgeleader.com
EXECUTION

Level Hours

Associate Director X

Manager X

Senior Consultant X

Total X

WRAP-UP

Level Hours

Managing Director X

Associate Director X

Manager X

Senior Consultant X

Total X

CONTACTS

The key client contact information is as follows:

Name Title/Dept Phone # Email

Person A Assistant Vice President of Risk XXXXXXXXXX [email protected]

Management and Safety Services

Person B Executive Director, Risk, Safety XXXXXXXXXX personb@ university.com

and Transportation Programs,
Risk Management and
Environmental Health and Safety
Services

4 Source: www.knowledgeleader.com
INTERNAL AUDIT TEAM
The key internal audit team contact information is as follows:

Name Title/Dept Phone # Email

Person C Managing Director XXXXXXXXXX [email protected]

Person D Associate Director XXXXXXXXXX [email protected]

Person E Manager XXXXXXXXXX [email protected]

Person F Senior Consultant XXXXXXXXXX [email protected]

5 Source: www.knowledgeleader.com