The University of Texas of the Permian Basin
Institutional Compliance Program
Quarterly Report
For the Quarter Ended May 31, 2008
Section I – Organizational Matters
 A meeting of the Institutional Compliance Committee was held April 24, 2008.
 There were no changes in the Compliance staff or Committee members.
Section II - Risk Assessment, Monitoring Activities and Specialized Training (Performed by
Responsible Party)
High-Risk Area #1: Animal and Human Research
Responsible Party: J. Tillapaugh, Asst. Vice President for Graduate Studies and
Sponsored Research
Key “A” risk(s) identified:
 Inappropriate use of animal and human subjects, research subjects and materials
 Inadequate training of Institutional Animal Care & Use Committee (IACUC),
principal investigators and staff on policies and procedures
Key Monitoring Activities:
 The IACUC met April 25, 2008 to conduct a semiannual program review of the
Animal Care and Use Program. Of 33 program and facility requirements
reviewed, 22 were found to be met in an acceptable manner, 7 had minor
deficiencies and 4 had significant deficiencies.
Specialized Training: Training of IACUC and training of principal investigators and
staff were two of the four significant deficiencies. The committee will find a training
program that will meet the needs of the university. Target date for finding a program is
July 31, 2008.
High-Risk Area #2: Information Security
Responsible Party: Keith Yarbrough, Director of Information Resources
Key “A” risk(s) identified:
 Unauthorized Information disclosure through password access obtained by
deceiving user
 Inadequate protection of confidential information including Social Security
Numbers
 Lack of training on information security
Key Monitoring Activities:
 Ongoing monitoring of e-mail (100% of inbound and outbound) for confidential
content including Social Security numbers and credit card numbers. For the
period 5/10/08 through 6/9/08, inbound messages included 74 that triggered the
SSN filter and 12 that triggered the credit card filter. Outbound messages
included 39 that triggered the SSN filter and 10 that triggered the credit card
filter. Individual faculty or staff members receiving or sending the messages
were notified of the violations. Repeat offenders were reported to their
supervisor and the Compliance department.

Network traffic traversing two established monitoring points was monitored by
automated traffic monitoring equipment. The Nitro security appliance
automatically responded to a number of network threats. None were considered
critical.
Specialized Training:
Users who send or receive detected confidential information through e-mail are provided
special notification.
High-Risk Area #3: Donations
Responsible Party: Kay Bivens, Director of Institutional Advancement
Key “A” risk(s) identified:
 Failure to comply with Federal regulations and donor requirements or objectives
Key Monitoring Activities:
 Checked 8 of 1059 gifts received for accurate recording in the departmental
Statement of Accounts. Found 8 entries coded “individual” instead of “alumni”.
All codes were corrected.
Specialized Training: New Administrative Assistant was given additional training on
use of the correct codes for proper accounting.
Section III – Monitoring and Assurance Activities (Performed by Compliance
Office/Designate)
High-Risk Area: Inadequate financial information to establish current position and
close out prior year; Bad financial rating status; Failure to achieve budget assumptions
Assessment of Control Structure: Opportunity for enhancement
 Monitoring/Assurance Activities Conducted: Compliance Officer and Internal
Auditor/Asst. Compliance Officer had a regularly scheduled weekly meeting
with the President, Provost and Director of the Office of Accounting to review
current financial position and potential actions that could impact year end results
and financial rating status.
High-Risk Area: Top Risk Areas
Assessment of Control Structure: Opportunity for enhancement
 Monitoring/Assurance Activities Conducted: The Asst. Compliance Officer
and the Athletic Compliance Officer reviewed draft monitoring plans submitted
for all top risk areas. Due to inconsistencies in the format and documentation, a
training session for designated responsible parties was held.
High-Risk Area: Athletics
Assessment of Control Structure: Opportunity for enhancement
 Monitoring/Assurance Activities Conducted: A Compliance Review of the
athletics program has conducted in March 2008 by a contracted firm. The
reviewers did not find any major areas of concern in the compliance systems they
observed. They did make recommendations for improvement of the program.
Section IV – General Compliance Training Activities
Six modules of General Compliance training administered through Training Post were assigned to
all continuing employees for FY 2008. New employees were assigned twelve General
Compliance modules. December 31, 2007 was the date set by the Institutional Compliance
Committee for the assigned training to be completed. As of April 16, 2008, 2,036 of the 2,154
modules assigned or 94.5% were completed. Some of the incomplete modules are assigned to
new employees who have a completion date after the report date. Follow-up reminders from the
appropriate executive staff will be used to remind remaining staff to complete the training.
Specialized training was developed for the designated responsible parties for all top risk areas. A
template for reformatting of monitoring plans was presented along with the template for quarterly
reporting and a schedule of report dates through the next fiscal year. All responsible parties
attended the training (10 of 10).
Section V – Action Plan Activities
The following Action Plan items were implemented during the quarter just ended:
 A summary of partial compliance or non-compliance reported in Compliance assurance
reports certified by staff was presented to the Compliance Committee.
 Results of a campus-wide compliance awareness survey were provided to the
Compliance Committee. Results were compared to responses from previous annual
surveys.
 The first drafts of monitoring plans for the top risks were reviewed by the compliance
officers and the draft plans were presented to the Compliance Committee for review.
 Held a training session on preparation of monitoring plans and quarterly reports for
Responsible Parties for top risks. A deadline for revision of monitoring plans into one
template was provided along with a schedule for submission of quarterly reports.
 Compliance information was submitted for inclusion in the March and April/May 2008
UTPB Employee Newsletters.
 The Administrative Council was informed of current compliance topics at each meeting.
 The Assistant Compliance Officer participated in UT System Institutional Compliance
Peer Review and Assurance Activities Committee conference calls and projects.
 Provided the second quarterly report for FY 2008 to the U.T. System office.
 Held a meeting of the Institutional Compliance Committee during the quarter.
 A Trainer position was added to the Office of Human Resources staff on May 1, 2008.
The Trainer started accumulating data regarding areas where training can be used to
address best practices and policies and procedures of the organization.
Completion of the following Action Plan items scheduled for the first three quarters of FY 2008
were delayed until subsequent quarters due to other projects that demanded the attention of the
Assistant Compliance Officer:
 The Committee will obtain final approval and distribute the revised Compliance Manual
to appropriate staff.



The Compliance Committee will begin reviewing quarterly reports on monitoring
activities for the top risks identified in the Tier One Risk Management process.
The Committee will adopt a revised Compliance Packet for committee members
to be used in orienting new committee members and to be a resource for
continuing members.
The Committee will review, update and distribute the Management
Responsibilities Handbook for appropriate staff.