The University of Texas of the Permian Basin
Institutional Compliance Program
Quarterly Report
For the Quarter Ended February 28, 2007
Section I – Organizational Matters


A quarterly meeting of the Institutional Compliance Committee was held on February 15,
2007. The next meeting is scheduled for May 7, 2007
There were no changes in membership on the Institutional Compliance Committee during
the quarter and there were no changes in the Compliance staff.
Section II - Risk Assessment, Monitoring Activities and Specialized Training
(Performed by Responsible Party)
High-Risk Area #1: Information Security
Responsible Party: Keith Yarbrough, Director of Information Resources
Key “A” risk(s) identified:



Unauthorized information disclosure through password access obtained by deceiving
user
Inadequate protection of confidential information including Social Security Numbers
Lack of training on information security
Key Monitoring Activities:



Monitoring of all network traffic to centralized servers with the Nitro IPS/IDS
appliance. Some unauthorized software within the UTPB local area network was
detected and remediated through removal of the software. UTPB has recently
purchased additional capabilities in this area. In addition to monitoring network
traffic at additional sensor points, the expanded Nitro system will also provide
essential log correlation capabilities across multiple network devices. Temporal
correlation between multiple network devices (routers, firewalls, intrusion detection
systems, etc.) is essential in understanding a dynamic network environment.
Nitro IDS/IPS appliance is blocking selected traffic signatures and vulnerabilities.
The blocking is done by the appliance vendor according to identified threats.
Review of logon / logon attempt logs for Student Information System (SIS) server on
a daily basis. Monitoring revealed several attempts to penetrate the system from
outside the local area network. Consequently, access to this system from the outside
has been restricted at the firewall. Logon attempt monitoring for this system
continues on a routine basis
Specialized Training:
An online training program is being developed for users who require access to our
systems. The first course will be for users requiring access to the SIS. Potential users will
be required to complete the online course and pass a quiz before the user will be given an
1
The University of Texas of the Permian Basin
Institutional Compliance Program
Quarterly Report
For the Quarter Ended February 28, 2007
account on that system. Implementation is expected during the fiscal year. One section
of this training has been incorporated into the faculty training module for the
CampusConnect Faculty Access System.
High-Risk Area #2: Research
Responsible Party: J. Tillapaugh, Assistant Vice President for Graduate Studies and
Sponsored Research
Key “A” risk(s) identified:



Inadequate training about Federal reporting requirements
Noncompliance with new Federal reporting requirements such as Time and Effort
Inappropriate use of animal and human subjects, research subjects and materials
Key Monitoring Activities:
A Time and Effort Policy to be included in the UTPB Handbook of Operating Procedures
was presented to the Institutional Compliance Committee on November 30, 2006. The
policy is currently open for comments. The Compliance Committee approved the policy
at its meeting on February 15, 2007. Monitoring plan activities are being prepared based
on the new policy.
Specialized Training:
The Time and Effort Reporting training program provided by UT System is being
customized to the policy that is currently under consideration. We are continuing our
present PI training process which will be revised for consistency with the new Time and
Effort Policy. No training was conducted during the second quarter of FY 2007.
Risk assessments for the remaining “top” risks will be completed during the third quarter
of this fiscal year. Monitoring and reporting procedures will be established at that time.
High-Risk Area #3: Animal and Human Subjects Research
Responsible Party: J. Tillapaugh, Assistant Vice President for Graduate Studies and
Sponsored Research
Key “A” risk(s) identified:


Inadequate training about Federal reporting requirements
Inappropriate use of animal and human subjects, research subjects and materials
2
The University of Texas of the Permian Basin
Institutional Compliance Program
Quarterly Report
For the Quarter Ended February 28, 2007
Key Monitoring Activities:
The human subject research review and approval system continues to function well,
with 129 protocols submitted in the first two quarters of FY 2007. Four were not
completed through the approval process, and forty four were revised for compliance and
final approval.
Institutional Animal Care and Use has received important attention in the first two
quarters, with the development of revisions in policies and procedures as called for by the
USDA’s Standards and UT System recommendations for compliance. The new
statements proposed by the Institutional Animal Care and Use Committee received
internal approvals. The revised policies and application forms have been posted to two
web sites at UTPB, administrative forms and the Graduate Studies home page.
Monitoring plan activities will be prepared based on the new policies during the third
quarter of FY 2007.
Specialized Training:
Investigators must certify that they have received training on the posted federal
guidelines and regulations in order to present a protocol for review and approval. No
additional training was required or conducted during the first and second quarters of FY
2007.
High Risk Area #4: Learning Environment, retention and graduation rates.
Responsible Party: Dr. Susan Lara, Vice President for Student Services
Key “A” risks identified:




Failure to provide a learning environment for success
Failure to meet student expectations
Failure to meet established measures of retention and
Failure to meet established standards for graduation rates.
Key Monitoring Activities:




Enrollment management plan that was prepared and distributed in May 2006 has
been reviewed and progress has been noted and discussed in Student Services
Directors Meetings and in Enrollment Management Committee Meetings
Students on academic probation are being tracked and given additional activities to
help them succeed.
Managing Academia for Personal Success (MAPS) program in place for early
referrals
Monitoring of freshmen through the freshmen seminar coordinator.
3
The University of Texas of the Permian Basin
Institutional Compliance Program
Quarterly Report
For the Quarter Ended February 28, 2007
Specialized Training:



All Student Services personnel have been trained on enrollment management and
have been asked to ensure their areas are in compliance
Student Services student workers have been given additional training for customer
relations and helpfulness
Staff have attended conferences in their fields to gain more information that will help
them to assist students
High Risk Area #5: Recruitment
Responsible Party: Dr. Susan Lara, Vice President for Student Services
Key “A” risks identified:

Failure to recruit and attract students
Key Monitoring Activities:




Established a weekly meeting with director of admissions to review his office’s
actions and effectiveness.
Asked for weekly admissions reports and conducted discussions with administrative
council, Student Services directors, Enrollment Management Committee and Director
of Admissions
Developing new recruiting plan
Met with admissions staff to review their progress
Specialized Training:


Admissions counselors have been sent to meetings for training
An admissions retreat has been held to train admissions staff and to provide guidance.
High Risk Area #6: Unsafe student behavior [including drug and alcohol use]
Responsible Party: Dr. Susan Lara, Vice President for Student Services
Key “A” risks identified:



Students may use drugs and alcohol
Students may practice unsafe sex and other behaviors
Students may be at risk for violent attacks and or domestic violence
Specialized Training:
4
The University of Texas of the Permian Basin
Institutional Compliance Program
Quarterly Report
For the Quarter Ended February 28, 2007





Provided seminars and activities for drug and alcohol awareness
Provided “Street Smart” campaign before spring break
Provided awareness of alcohol risks through “green beans” campaign
Provided training for handling rapes and attacks
Provided awareness of Aids, safe sex and use of contraceptives
High Risk Area #7: Inadequate financial information to establish current position
and close out prior year; Bad financial rating status; Failure to achieve budget
assumptions
Responsible Party: Dr. Chris Forrest, Vice President for Business Affairs
Key “A” Risks Identified:



Inadequate financial information to establish current position and close out prior year
Bad financial rating status
Failure to achieve budget assumptions
Key Monitoring Activities:
The risk of having inadequate financial information to close the prior year and failure to
achieve budget assumptions was partially assessed through the Deloitte & Touche
financial audit for UTPB and through a newly developed variance analysis format
Section III – Monitoring and Assurance Activities (Performed by Compliance
Office)
High-Risk Area #1: Information Security
Assessment of Control Structure: Opportunity for Enhancement
Assurance Activities Conducted: The following assurance activities are planned with
respect to Information Security:
1) Confidentiality of Social Security Numbers—progress on implementation of
BPM 66
2) Confidentiality and integrity of Digital Research Data—progress on
implementation of BPM 75
3) TAC 202—compliance with DIR Rules and Regulations regarding IT Security
High-Risk Area #2: Research
Assessment of Control Structure: Opportunity for Enhancement
Assurance activity to be conducted:
1) Audit of Time and Effort Reporting—progress on implementation of BPM 76
5
The University of Texas of the Permian Basin
Institutional Compliance Program
Quarterly Report
For the Quarter Ended February 28, 2007
High-Risk Area #3: Animal and Human Subjects Research
Assessment of Control Structure: Opportunity for Enhancement
High Risk Area #4: Learning Environment, retention and graduation rates
Assessment of Control Structure: Opportunity for Enhancement
High Risk Area #5: Recruitment
Assessment of Control Structure: Opportunity for Enhancement
High Risk Area #6: Unsafe student behavior [including drug and alcohol use]
Assessment of Control Structure: Opportunity for Enhancement
High Risk Area #7: Inadequate financial information to establish current position and
close out prior year; Bad financial rating status; Failure to achieve budget assumptions
Assessment of Control Structure: Opportunity for Enhancement
Overall, Monitoring activities have not taken place during the second quarter of FY 2007
Upon development of monitoring plans in each of the high risk areas, monitoring and
assurance activities will be developed and performed. At that time significant findings
will be reported and assessment of the control structure will be reported..
Section IV – General Compliance Training Activities
Seven modules of training are delivered through the Training Post for all continuing
faculty and staff. Five additional topics are required for new faculty and staff. Required
training was expected to be completed by December 31, 2006. For FY 2007, a total of
2,392 modules are currently assigned. 93.1% were completed by February 15, 2007.
Follow up is continuing.
Section V – Action Plan Activities
The following Action Plan items were implemented during the quarter just ended:
 The Committee reviewed compliance assurance reports certified by staff and issued
reminders where appropriate to ensure total compliance with the System-wide
compliance initiative.
 A campus-wide compliance awareness survey was conducted. A comparison of results
with previous annual surveys was prepared.
 The information on the Compliance webpage was reviewed and updates are being
prepared.
 Five new compliance issues were received by the Assistant Compliance Officer during
the quarter. One was investigated and closed. The remaining issues are still under
6
The University of Texas of the Permian Basin
Institutional Compliance Program
Quarterly Report
For the Quarter Ended February 28, 2007
investigation. In addition review was completed on one issue carried over from the
previous year and two from the previous quarter, and the issues were closed.
Completion of the following Action Plan items scheduled for first and second quarters FY 2007
were delayed until subsequent quarters due to required audits, an IRS audit and special projects
that demanded the attention of the Assistant Compliance Officer:
 Training for Responsible Parties on preparation of monitoring plans for high risks.
 Implementation of Compliance Committee receipt and review of monitoring plans and
quarterly reports for the top risks identified in the Tier One Risk Management process.
 The revised Standards of Conduct received final approval. A distribution notice will be
sent in April 2007 and the revised standards will be posted to the UTPB website.
 The Committee will take the revised Compliance Manual to Administrative Council for
review in May 2007. After comments are received, the revision will go to Executive staff
for final approval.
7