First Quarterly Report FY 2007

The University of Texas of the Permian Basin
Institutional Compliance Program
Quarterly Report
For the Quarter Ended November 30, 2006
Section I – Organizational Matters
A quarterly meeting of the Institutional Compliance Committee was held on
November 30, 2006.
One change in membership on the Institutional Compliance Committee was
completed at the beginning of the fiscal year.
There were no changes in the Compliance staff.
Section II - Risk Assessment, Monitoring Activities and Specialized
Training (Performed by Responsible Party)
High-Risk Area #1: Information Security
Responsible Party: Keith Yarbrough, Director of Information Resources
Key “A” risk(s) identified:
Unauthorized Information disclosure through password access obtained by
deceiving user
Inadequate protection of confidential information including Social Security
Lack of training on information security
Key Monitoring Activities:
Monitoring of all network traffic to centralized servers with the Nitro IPS/IDS
appliance. Some unauthorized software within the UTPB local area network
was detected and remediated through removal of the software.
Nitro IDS/IPS appliance is blocking selected traffic signatures and
vulnerabilities. The blocking is done by the appliance vendor according to
identified threats.
Review of logon / logon attempt logs for SIS server on a daily basis.
Monitoring revealed several attempts to penetrate the system from outside the
local area network. Consequently, access to this system from the outside has
been restricted at the firewall.
Specialized Training:
An online training program is being developed for users that require access to our
systems. The first course will be for users requiring access to the SIS. Potential
users will be required to complete the online course and pass a quiz before the
user will be given an account on that system. Implementation is expected during
the fiscal year.
High-Risk Area #2: Research
Responsible Party: J. Tillapaugh, Assistant Vice President for Graduate Studies
and Sponsored Research
Key “A” risk(s) identified:
Inadequate training about Federal reporting requirements
Noncompliance with new Federal report requirements such as Time and Effort
Inappropriate use of animal and human subjects, research subjects and materials
Key Monitoring Activities:
A Time and Effort Policy to be included in the UTPB Handbook of Operating
Procedures was presented to the Institutional Compliance Committee on
November 30, 2006. The policy is currently open for comments. Monitoring
plan activities are being prepared based on the proposed policy.
Specialized Training:
The Time and Effort Reporting training program provided by UT System is being
customized to the policy that is currently under consideration. We are continuing
our present PI training process which will be revised for consistency with the
proposed Time and Effort Policy. No training was conducted during the first
quarter of FY 2007.
Risk assessments for the remaining “top” risks will be completed during quarters
two and three of this fiscal year. Monitoring and reporting procedures will be
established at that time.
Section III – Monitoring and Assurance Activities (Performed by
Compliance Office)
Monitoring activities have not taken place during the first quarter of FY 2007;
however, the Audit Plan for 2007 for UTPB includes audits in the following high
risk areas that will be completed during the fiscal year:
1) Effort Reporting—progress on implementation of BPM 76
2) Confidentiality of Social Security Numbers—progress on
implementation of BPM 66
3) Confidentiality and integrity of Digital Research Data—progress on
implementation of BPM 75
4) TAC 202—compliance with DIR Rules and Regulations regarding IT
5) NCAA—audit in an area to be determined
Upon development of monitoring plans in the each of the high risk areas,
monitoring and assurance activities will be developed and performed. At that
time significant findings will be reported and assessment of the control structure
will be reported.
In Section IV of this report, results of mandatory training related to Sexual
Harassment are reported. This training was held in response to confidential
compliance reports received as well as identification of inappropriate
relationships and activities by faculty and staff as a high risk area. The follow-up
training for those who missed the mandatory training will be monitored.
The risk of having inadequate financial information to close the prior year and
failure to achieve budget assumptions was partially assessed through the Deloitte
& Touche financial audit for UTPB.
Section IV – General Compliance Training Activities
Seven modules of training are delivered through Training Post for all continuing
faculty and staff. Five additional topics are required for new faculty and staff.
Required training is expected to be completed by December 31, 2006. For FY
2007, a total of 2,289 modules are currently assigned. 43.1% were completed by
November 16, 2006.
In addition to the basic training modules, a special mandatory Sexual Harassment
training program was provided by The Office of General Counsel in October
2006. A total of 282 or 88% of the total faculty and staff of 322 attended the
training. Follow-up training will be provided to the 40 individuals who were not
able to attend the October sessions.
Section V – Action Plan Activities
The following Action Plan items were implemented during the quarter just ended:
 Surveys were completed by the Committee to assess the compliance program and
the compliance officers.
 A self-assessment survey of the program was completed by the Compliance
Officer. The Compliance program, Compliance Committee, and Compliance
function were assessed to ensure continual improvement.
 The Committee requested individual certification letters from all budget heads
and responsible parties that provide assurance and/or note exceptions to
compliance activities and programs within each area.
 Mandatory Sexual Harassment Training was held for all faculty and staff in
October 2006
Seventeen compliance issues were received by the Assistant Compliance Officer
during the quarter. Ten were investigated and closed. The remaining issues are
still under investigation. In addition review was completed on ten issues carried
over from the previous year and the issues were closed.
Completion of the following Action Plan items scheduled for first quarter FY 2007 were
delayed until subsequent quarters due to required audits that demanded the attention of
the Assistant Compliance Officer:
 Training for Responsible Parties on preparation of monitoring plans for high risks.
 Implementation of Compliance Committee receipt and review of monitoring plans
for the top risks identified in the Tier One Risk Management process.
 The Committee presented the revised Standards of Conduct to the Administrative
Council for review and obtained final approval of Executive Staff. A distribution
notice will be sent in December 2006 and the revised standards will be posted to
the UTPB website.
 The Committee will take the revised Compliance Manual to Administrative
Council for review in December 2006. After comments are received, the revision
will go to Executive staff for final approval.