The University of Texas of the Permian Basin
Institutional Compliance Program
Quarterly Report
For the Quarter Ended February 29, 2008
Section I – Organizational Matters
 A meeting of the Institutional Compliance Committee was held January 24, 2008.
 There were no changes in the Compliance staff or Committee members.
Section II - Risk Assessment, Monitoring Activities and Specialized Training (Performed by
Responsible Party)
High-Risk Area #1: Research
Responsible Party: J. Tillapaugh, Asst. Vice President for Graduate Studies and
Sponsored Research
Key “A” risk(s) identified:
 Inadequate training about Federal reporting requirements
 Noncompliance with Federal reporting requirements such as Time and Effort
 Inappropriate use of animal and human subjects, research subjects and materials
Key Monitoring Activities:
 The Responsible Party reviewed the Effort Commitment & Certification reports
that were completed by principal investigators of Federal grants during the
period. Questions arising during the review were resolved.
 An Action Plan, a Monitoring Plan, an Effort Commitment & Certification
Policy and a Training Plan were reviewed and approved by the Institutional
Compliance Committee in September 2008. The policy was submitted to the
Office of General Counsel for review.
 A non-DEFINE paper system is being designed for Effort Commitment and
Certification for non-federal grants and contracts. It will be included in training
of the identified responsible parties with non-federal grants that come under the
UTPB policy.
Specialized Training: Training on the Effort Commitment & Certification Policy has
been completed for all individuals with principal responsibilities on all UTPB Federal
grants.
High-Risk Area #2: Information Security
Responsible Party: Keith Yarbrough, Director of Information Resources
Key “A” risk(s) identified:
 Unauthorized Information disclosure through password access obtained by deceiving
user
 Inadequate protection of confidential information including Social Security Numbers
 Lack of training on information security
Key Monitoring Activities:
 Monitoring of campus network traffic has been expanded and now not only includes
monitoring by a network intrusion detection/prevention system manufactured by
Nitro Security but also includes complete monitoring and scanning of all e-mail. In
addition to scanning for viral content, e-mail scanning also uses pattern matching
techniques to detect confidential content in e-mail (primarily Social Security number
and credit card numbers). When confidential content is detected, the user is notified
that they are using poor security practices.

The network intrusion detection/prevention system is blocking selected network
traffic when that traffic matches certain risk signatures. These risk signatures are
updated on a regular basis to insure current risks are recognized. Logs of these
activities are reviewed daily.

A periodic review of successful logins and unsuccessful login attempts for the
student information system is conducted. Monitoring revealed several attempts to
penetrate the system from outside the local area network. Consequently, access to
this system from the outside has been restricted at the firewall. Login attempt
monitoring for this system continues on a routine basis.
Specialized Training:
Users who send or receive detected confidential information through e-mail are provided
special notification.
High-Risk Area #3: Change Control
Responsible Party: Keith Yarbrough, Director of Information Resources
Key “A” risk(s) identified:
 Inadequate control over network and server configuration changes
Key Monitoring Activities:
UTPB has a well documented process for monitoring and approving changes to the
student information system environment. However, in the network and Windows server
environment UTPB is still developing the change control process. Due to this complex
environment, changes are made in the production environment without extensive
validation and testing. UT System has issued an RFP for change control software. Once
selected the product should provide a set of tools that will greatly facilitate change
control for the Windows server and client environment.
Section III – Monitoring and Assurance Activities (Performed by Compliance
Office/Designate)
High-Risk Area: Inadequate financial information to establish current position and
close out prior year; Bad financial rating status; Failure to achieve budget assumptions
Assessment of Control Structure: Opportunity for enhancement
 Monitoring/Assurance Activities Conducted: Compliance Officer and Internal
Auditor/Asst. Compliance Officer meet weekly with the President, Provost and
Director of the Office of Accounting to review current financial position and
potential actions that could impact year end results and financial rating status.
High-Risk Area: Research
Assessment of Control Structure: Opportunity for enhancement
 Monitoring/Assurance Activities Conducted: The Asst. Compliance Officer
and Designated Responsible Party attended a meeting with Huron representatives
regarding acquisition of the software for Time and Effort reporting
High-Risk Area: Athletics
Assessment of Control Structure: Opportunity for enhancement
 Monitoring/Assurance Activities Conducted: A Compliance Review of the
athletics program has been set for the first week in March 2008. This review will
result in recommendations for improvement of the program and could result in a
recommendation that UTPB be moved from probationary to full member status
in NCAA Division II. The Asst. Compliance Officer also attended an Athletic
Compliance Committee meeting during the quarter.
Section IV – General Compliance Training Activities
Six modules of General Compliance training administered through Training Post were assigned to
all continuing employees for FY 2008. New employees were assigned twelve General
Compliance modules. December 31, 2007 was the date set by the Institutional Compliance
Committee for the assigned training to be completed. As of January 22, 2008, 2,011 of the 2,059
modules assigned or 97.7% were completed. Some of the incomplete modules are assigned to
new employees who have a completion date after the report date. Follow-up reminders from the
appropriate executive staff will be used to remind remaining staff to complete the training.
Section V – Action Plan Activities
The following Action Plan items were implemented during the quarter just ended:
 Compliance assurance reports certified by staff were reviewed and a summary of partial
compliance or non-compliance was prepared. Follow-up was made on the reports that
have not been received. The summary will be presented to the Compliance Committee in
the third quarter of FY 2008.
 A campus-wide compliance awareness survey was prepared for distribution in early
March, 2008. Results will be compared to results from previous annual surveys.
 Compliance information was submitted for inclusion in the February 2008 UTPB
Employee Newsletter.
 Compliance awareness training was held for faculty and staff in the College of Arts and
Sciences and the Student Senate during the quarter. The Administrative Council is
informed of current compliance topics at each meeting.
 The Assistant Compliance Officer participated in a UT System Institutional Compliance
Advisory Council (“ICAC”) meeting in December 2007 in Dallas and the Peer Review
and Assurance Activities Committee. The Compliance Officer and Assistant Compliance
Officer attended the February 2008 ICAC videoconference.
 Provided monthly reports and the first quarterly report for FY 2008 to the U.T. System
office.
 Held a meeting of the Institutional Compliance Committee during the quarter.
Completion of the following Action Plan items scheduled for the first two quarters of FY 2008
were delayed until subsequent quarters due to other projects that demanded the attention of the
Assistant Compliance Officer:
 The Committee will obtain final approval and distribute the revised Compliance Manual
to appropriate staff.
 Monitoring plans for the top risks will be reviewed by the compliance officers and
completed plans will be presented to the Compliance Committee for review.

The Compliance Committee will begin reviewing quarterly reports on monitoring
activities for the top risks identified in the Tier One Risk Management process.