The University of Texas of the Permian Basin Institutional Compliance Program Annual Report Fiscal Year Ending August 31, 2006 Program Executive Summary The Institutional Compliance Committee and Program experienced stability in staff and growth in activity during the 2006 Fiscal Year. Staff included a Compliance Officer and an Assistant Compliance Officer / Internal Auditor. One change in membership on the Institutional Compliance Committee was completed. A peer review was completed for UTPB in October 2005. Training for the Committee members was held during the August 2006 meeting. Compliance issues brought to the attention of the Compliance Officer or Assistant Compliance Officer were investigated during the year. New activities in the Compliance area continued to raise awareness of the Program among faculty, staff and students. Activities within monitoring and training plans for high risk and other areas continued. Risk Assessment, Monitoring Activities and Specialized Training The Institutional Compliance Committee received reports from individual areas with special issues. In fiscal year 2005, an Enterprise Risk Management process to update a previous risk assessment was started. Thirteen activity areas with high risks for the campus were identified. Those areas include: Institutional Advancement, Accounting, Academic Affairs, Student Services, Enrollment Management, Human Resource Management, Physical Plant, Research, Strategic Planning, Outreach, Intercollegiate Athletics, IT Infrastructure and Auxiliary Enterprises. In Fiscal Year 2006, specific risks in each area were identified and rated, and a risk footprint was developed. Tier II risk assessments were completed for Research and for Information Technology. The process to identify the “A” compliance risks that will be monitored by the Committee was started. Identification of the responsible parties, monitoring activities and specialized training will be developed in Fiscal Year 2007. Monitoring and Assurance Activities with Significant Findings Certification letters were requested from all budget heads regarding compliance of their areas with university policies and procedures. Exceptions reported in the letters were summarized for the Committee and reviewed for corrective action. Outstanding internal audit recommendations were reviewed to determine that satisfactory progress was being made toward completion. Issues identified by the external auditors were monitored on a regular basis throughout the year. The Assistant Compliance Officer and Director of Human Resources investigated specific compliance issues raised during the year. Recommendations for correction or improvement were made, if applicable. No major problems were identified in the assurance activities. No restrictions in the scope of work or access to required information occurred in any of these activities. A peer review was held during October 2005. Recommendations of the peer review team were incorporated into the action plan for the fiscal year. Finalization of a list of “A” risks, development of monitoring plans and implementation of monitoring and assurance activities will be completed in Fiscal Year 2007. General Compliance Training Activities The University uses the Training Post computer-based training system for its general compliance training. All new employees were required to complete twelve training modules for the basic risk areas. All continuing employees were expected to complete six modules. Through August 31, 2006 the completion rate for all assigned general compliance training modules was 96.7%. This represented an improvement from the 95% completion rate for Fiscal Year 2005. The total number of required training modules was 2,004. In addition to the general training, specialized training was offered during the year for specific groups. Computer software problems continue to limit the availability of the Training Post modules and updated reporting of completion statistics. Breeze software was purchased to replace the Training Post. The planned update and conversion of Training Post modules to Breeze was delayed by the resignation of two information resources staff members who were trained in Breeze operations. The Compliance Committee discussed possible solutions to this delay, including hiring an outside consultant knowledgeable in Breeze software operations. Action Plan Activities Early in the fiscal year, the Institutional Compliance Committee approved the 2005-2006 Action Plan. Plan activities that were completed during the year include: approval of a training plan for the 2006 fiscal year; completion of surveys by the Committee to assess the compliance program and the compliance officers and a self-assessment survey of the program by the Compliance Officer; completion of a UT System peer review; completion of individual certification letters by all budget heads and responsible parties that provide assurances and note exceptions to compliance activities within each area; review of compliance assurance reports; a campus-wide compliance awareness survey was conducted and compared to previous year results; and a newsletter to employees and staff was established and two issues were distributed during the fiscal year. The Committee continued a review and update of the institutional risk assessment for all areas that resulted in completion of a Tier I risk footprint and Tier II assessments for Research and Information Technology. Monitoring, training and reporting plans will be completed in the next fiscal year. Drafts of updates to the Standards of Conduct for all university staff and the Compliance Manual for appropriate staff were presented to the Committee in August 2006 for review and comments. Work was initiated on revisions to the Management Responsibilities Handbook for appropriate staff and a Compliance Manual for Committee members to be used in orienting new members and to be a resource for continuing members. Ongoing activities of the Committee include development of additional training programs, review of compliance inquiry line reports, and update of the Compliance web page. Due to time and staff constraints, action plan items that were deferred to Fiscal Year 2007 include: completion of monitoring, training and reporting plans for high-risk areas identified in the risk assessment process; completion of a training timeline that will incorporate training to be offered throughout the campus; and conversion of Training Post modules to the new format/system in Breeze. Confidential Reporting The Institutional Compliance Program provides the following mechanisms for reporting compliance issues: a confidential “888” telephone number, an internal telephone line, and an email address that may be accessed directly or through the Compliance website. In addition, the Compliance Officer or Assistant Compliance Officer may be contacted directly. In practice, calls or personal visits that initially are made to the President or other individuals in the university are transferred to the Compliance Officer or Assistant Compliance Officer in order to expedite the review and reporting of the call. Thirty-five compliance inquiries were reported during the 2005-2006 fiscal year. Five inquiries were by internal hotline, three by regular phone line, two in writing, eight by email, fifteen in person and one originated on the UT System hotline. One issue was received by a combination of methods from multiple sources. Twentyfive inquiries have been resolved and ten are under continuing review. The composition of the compliance inquiries were as follows: Type Improper Use of University Property & Resources Human Resources/HOP Privacy Miscellaneous Fiscal Reporting/Audit Total Number % of Total 13 9 1 7 5 35 37% 26 3 20 14 100% All reports are handled through a three-person triage team comprised of the Compliance Officer, Assistant Compliance Officer and Director of Human Resources. Six of the issues were referred to OGC for review. Four of the six was considered significant and the System-wide Compliance Officer was appropriately notified and briefed on the issues and resolution. The 2006 Annual Report is submitted by: ____________________________________ Christopher R. Forrest, Ph.D. Compliance Officer Vice President for Business Affairs _____________________________________ W. David Watts, Ph.D. President Date Submitted: September 21, 2006