The University of Texas of the Permian Basin Institutional Compliance Program Quarterly Report For the Quarter Ended November 30, 2006 Section I – Organizational Matters A quarterly meeting of the Institutional Compliance Committee was held on November 30, 2006. One change in membership on the Institutional Compliance Committee was completed at the beginning of the fiscal year. There were no changes in the Compliance staff. Section II - Risk Assessment, Monitoring Activities and Specialized Training (Performed by Responsible Party) High-Risk Area #1: Information Security Responsible Party: Keith Yarbrough, Director of Information Resources Key “A” risk(s) identified: Unauthorized Information disclosure through password access obtained by deceiving user Inadequate protection of confidential information including Social Security Numbers Lack of training on information security Key Monitoring Activities: Monitoring of all network traffic to centralized servers with the Nitro IPS/IDS appliance. Some unauthorized software within the UTPB local area network was detected and remediated through removal of the software. Nitro IDS/IPS appliance is blocking selected traffic signatures and vulnerabilities. The blocking is done by the appliance vendor according to identified threats. Review of logon / logon attempt logs for SIS server on a daily basis. Monitoring revealed several attempts to penetrate the system from outside the local area network. Consequently, access to this system from the outside has been restricted at the firewall. Specialized Training: An online training program is being developed for users that require access to our systems. The first course will be for users requiring access to the SIS. Potential users will be required to complete the online course and pass a quiz before the user will be given an account on that system. Implementation is expected during the fiscal year. High-Risk Area #2: Research Responsible Party: J. Tillapaugh, Assistant Vice President for Graduate Studies and Sponsored Research Key “A” risk(s) identified: Inadequate training about Federal reporting requirements Noncompliance with new Federal report requirements such as Time and Effort Inappropriate use of animal and human subjects, research subjects and materials Key Monitoring Activities: A Time and Effort Policy to be included in the UTPB Handbook of Operating Procedures was presented to the Institutional Compliance Committee on November 30, 2006. The policy is currently open for comments. Monitoring plan activities are being prepared based on the proposed policy. Specialized Training: The Time and Effort Reporting training program provided by UT System is being customized to the policy that is currently under consideration. We are continuing our present PI training process which will be revised for consistency with the proposed Time and Effort Policy. No training was conducted during the first quarter of FY 2007. Risk assessments for the remaining “top” risks will be completed during quarters two and three of this fiscal year. Monitoring and reporting procedures will be established at that time. Section III – Monitoring and Assurance Activities (Performed by Compliance Office) Monitoring activities have not taken place during the first quarter of FY 2007; however, the Audit Plan for 2007 for UTPB includes audits in the following high risk areas that will be completed during the fiscal year: 1) Effort Reporting—progress on implementation of BPM 76 2) Confidentiality of Social Security Numbers—progress on implementation of BPM 66 3) Confidentiality and integrity of Digital Research Data—progress on implementation of BPM 75 4) TAC 202—compliance with DIR Rules and Regulations regarding IT Security 5) NCAA—audit in an area to be determined Upon development of monitoring plans in the each of the high risk areas, monitoring and assurance activities will be developed and performed. At that time significant findings will be reported and assessment of the control structure will be reported. In Section IV of this report, results of mandatory training related to Sexual Harassment are reported. This training was held in response to confidential compliance reports received as well as identification of inappropriate relationships and activities by faculty and staff as a high risk area. The follow-up training for those who missed the mandatory training will be monitored. The risk of having inadequate financial information to close the prior year and failure to achieve budget assumptions was partially assessed through the Deloitte & Touche financial audit for UTPB. Section IV – General Compliance Training Activities Seven modules of training are delivered through Training Post for all continuing faculty and staff. Five additional topics are required for new faculty and staff. Required training is expected to be completed by December 31, 2006. For FY 2007, a total of 2,289 modules are currently assigned. 43.1% were completed by November 16, 2006. In addition to the basic training modules, a special mandatory Sexual Harassment training program was provided by The Office of General Counsel in October 2006. A total of 282 or 88% of the total faculty and staff of 322 attended the training. Follow-up training will be provided to the 40 individuals who were not able to attend the October sessions. Section V – Action Plan Activities The following Action Plan items were implemented during the quarter just ended: Surveys were completed by the Committee to assess the compliance program and the compliance officers. A self-assessment survey of the program was completed by the Compliance Officer. The Compliance program, Compliance Committee, and Compliance function were assessed to ensure continual improvement. The Committee requested individual certification letters from all budget heads and responsible parties that provide assurance and/or note exceptions to compliance activities and programs within each area. Mandatory Sexual Harassment Training was held for all faculty and staff in October 2006 Seventeen compliance issues were received by the Assistant Compliance Officer during the quarter. Ten were investigated and closed. The remaining issues are still under investigation. In addition review was completed on ten issues carried over from the previous year and the issues were closed. Completion of the following Action Plan items scheduled for first quarter FY 2007 were delayed until subsequent quarters due to required audits that demanded the attention of the Assistant Compliance Officer: Training for Responsible Parties on preparation of monitoring plans for high risks. Implementation of Compliance Committee receipt and review of monitoring plans for the top risks identified in the Tier One Risk Management process. The Committee presented the revised Standards of Conduct to the Administrative Council for review and obtained final approval of Executive Staff. A distribution notice will be sent in December 2006 and the revised standards will be posted to the UTPB website. The Committee will take the revised Compliance Manual to Administrative Council for review in December 2006. After comments are received, the revision will go to Executive staff for final approval.