The University of Texas of the Permian Basin
Institutional Compliance Program
Annual Report
For the Year Ended August 31, 2007
Section I – Organizational Matters



Quarterly meetings of the Institutional Compliance Committee were held on November
30, 2006, February 15, 2007, May 17, 2007 and August 23, 2007.
One change in membership on the Institutional Compliance Committee was completed at
the beginning of the fiscal year with the addition of the Director of Information
Resources to a position previously held by a faculty member.
There were no changes in the Compliance staff.
Section II - Risk Assessment, Monitoring Activities and Specialized Training
(Performed by Responsible Party)
High-Risk Area #1: Information Security
Responsible Party: Keith Yarbrough, Director of Information Resources
Key “A” risk(s) identified:



Unauthorized Information disclosure through password access obtained by deceiving
user
Inadequate protection of confidential information including Social Security Numbers
Lack of training on information security
Key Monitoring Activities:



Monitoring of campus network traffic. This monitoring is performed by a network
intrusion detection/prevention system manufactured by Nitro Security. Software in
this system is updated by the vendor as required to insure that the system can detect
and respond to current network threats. Unauthorized software within the UTPB
local area network is identified and responded to by this system. Recently UTPB
purchased additional capabilities in this area. In addition to monitoring network
traffic at additional sensor points, the expanded system also provides essential log
correlation capabilities across multiple network devices. Using these capabilities,
network traffic flows can be traced through multiple network devices. This
capability greatly improves our ability to understand the traffic on our local network.
The network intrusion detection/prevention system is blocking selected network
traffic when that traffic matches certain risk signatures. These risk signatures are
updated on a regular basis to insure current risks are recognized. Logs of these
activities are reviewed daily.
A periodic review of successful logins and unsuccessful logon attempts for the
student information system is conducted. Monitoring revealed several attempts to
penetrate the system from outside the local area network. Consequently, access to
this system from the outside has been restricted at the firewall. Logon attempt
monitoring for this system continues on a routine basis
1
Specialized Training:
A training program is being developed for users that require access to our systems. The
first course will be for users requiring access to the student information system. Potential
users will be required to complete the course and pass a quiz before the user will be given
an account on the system. One section of this training has been incorporated into the
training for faculty use of the student information system.
High-Risk Area #2: Change Control
Responsible Party: Keith Yarbrough, Director of Information Resources
Key “A” risk(s) identified:

Inadequate control over network and server configuration changes
Key Monitoring Activities:
UTPB has a well documented process for monitoring and approving changes to the
student information system environment. However, in the network and Windows server
environment UTPB is still developing the change control process. This environment is
much less homogenous than the student information system environment so that it is
much more difficult to construct and maintain a development environment that accurately
models the production environment. The end result is that changes are made in the
production environment without extensive validation and testing. UT System is in the
process of procuring System-wide licensing for a product called Configuresoft. This
product should provide a set of tools that will greatly facilitate change control for the
Windows server and client environment.
Specialized Training:
Specialized training in the use of the Configuresoft product will be required for selected
technical staff.
High-Risk Area #3: Research
Responsible Party: J. Tillapaugh, Assistant Vice President for Graduate Studies and
Sponsored Research
Key “A” risk(s) identified:



Inadequate training about Federal reporting requirements
Noncompliance with new Federal reporting requirements such as Time and
Effort
Inappropriate use of animal and human subjects, research subjects and materials
Key Monitoring Activities:
A draft Time and Effort Policy to be included in the UTPB Handbook of Operating
Procedures was presented to the Institutional Compliance Committee on November 30,
2006. The Compliance Committee approved the policy at its meeting on February 15,
2007. Time and effort reports submitted by Principal Investigators for the months of
March, April and May were reviewed for accuracy and concerns were discussed with the
investigators and cleared.
2
The Tier II Risk Assessment for Research was completed including additional risk
concerns for effort commitment and certification.
Specialized Training:
The Time and Effort Reporting training program provided by UT System is being
customized to the policy that is currently under consideration. No training was conducted
during FY 2007.
High-Risk Area #4: Animal and Human Subjects Research
Responsible Party: J. Tillapaugh, Assistant Vice President for Graduate Studies and
Sponsored Research
Key “A” risk(s) identified:


Inadequate training about Federal reporting requirements
Inappropriate use of animal and human subjects, research subjects and materials
Key Monitoring Activities:
The human subject research review and approval system continues to function well,
with 129 protocols submitted in the first two quarters of FY 2007. Four were not
completed through the approval process, and forty four were revised for compliance and
final approval. In the last two quarters, there were an additional 135 protocols, one was
not completed and 26 were revised for compliance and final approval. The total for FY
2007 was 264.
Institutional Animal Care and Use has received important attention in the first two
quarters, with the development of revisions in policies and procedures as called for by the
USDA’s Standards and UT System recommendations for compliance. The new
statements proposed by the Institutional Animal Care and Use Committee received
internal approvals. The revised policies and application forms have been posted to two
web sites at UTPB, administrative forms and the Graduate Studies home page.
Monitoring plan activities will be prepared based on the new policies.
Specialized Training:
Investigators must certify that they have received training on the posted federal
guidelines and regulations in order to present a protocol for review and approval. No
additional training was required or conducted during the first and second quarters of FY
2007.
In May, the ex-officio head of the Institutional Review Board (IRB), the chair of the
Institutional Animal Care and Uses Committee (IACUC) and the UTPB lab director
attended a called-U. T. System workshop for training and updates on IRB/IACUC issues.
Presentations were made about accreditation of IACUCs.
3
Section III – Monitoring and Assurance Activities (Performed by Compliance /
Audit Office)
High-Risk Area: Research
Assessment of Control Structure: Significant Opportunity for Enhancement
Monitoring/Assurance Activities Conducted: Audit of UTS163 – Guidance on Effort
Reporting Policies issued in August 2007.
Significant Findings: Recommendations regarding implementation of the required
education and training program and establishment of a monitoring and reporting plan
were considered significant.
High-Risk Area: Information Security
Assessment of Control Structure: Opportunity for Enhancement
1) Assurance Activities in Process: Audit of Confidentiality and Integrity of Digital
Research Data—progress on implementation of BPM 75 / UTS165. Audit report will be
issued in the next fiscal year.
2) Assurance Activities in Process: TAC 202 Audit—compliance with DIR Rules and
Regulations regarding IT Security. Audit report will be issued in the next fiscal year.
High-Risk Area: Inadequate financial information to establish financial position
throughout the year and to close financial records at year end; Bad financial rating status;
Failure to achieve budget assumptions
Assessment of Control Structure: Opportunity for Enhancement
Monitoring/Assurance Activities Conducted: Deloitte & Touche financial audit for
Fiscal Year Ended August 31, 2006.
High-Risk Area: Inappropriate relationships and activities by faculty and staff
Assessment of Control Structure: Opportunity for Enhancement
Monitoring/Assurance Activities Conducted: In response to confidential compliance
reports received as well as identification of inappropriate relationships and activities by
faculty and staff, training for 282 faculty and staff members was conducted by The Office
of General Counsel in October 2006. This represented 88% of the total faculty and staff
of the University.
Section IV – General Compliance Training Activities
The University uses the Training Post computer-based training system for its general compliance
training. All new employees were required to complete twelve training modules for the basic risk
areas. All continuing employees were expected to complete seven modules. For Fiscal Year
2007 the completion rate for all assigned general compliance training modules was 97.1%. This
represented an improvement from the 96.7% completion rate for Fiscal Year 2006.
In addition to the general training, a special mandatory Sexual Harassment training program was
provided by the Office of General Counsel in October 2006. A total of 282 or 88% of the total
faculty and staff of 322 attended the training. General compliance issues were discussed with
several groups including the Athletic Department staff, School of Education and School of
Business faculty and staff and the department heads in the College of Arts and Sciences.
Computer software problems continue to limit the availability of the Training Post modules and
completion reports. Breeze software was purchased to replace the Training Post. Staff turnover
4
in Information Resources resulted in the loss of staff trained to work with Breeze. Alternate
solutions are being considered.
Section V – Action Plan Activities
Action Plan activities that were completed during the year include: final approval and
distribution of revised Standards of Conduct for all university staff; completion of surveys by the
Committee to assess the compliance program and the compliance officers and a self-assessment
survey of the program by the Compliance Officer; completion of individual certification letters by
all budget heads and responsible parties that provide assurances and note exceptions to
compliance activities within each area; review of compliance certification letters; training for
responsible parties of high risk areas on preparation of monitoring plans and required reports;
completion of a campus-wide compliance awareness survey and comparison to previous year
results; approval of a training plan for the 2008 fiscal year; and receipt and review of compliance
inquiry line reports and related issues.
Due to time and staff constraints, action plan items for which completion was deferred to Fiscal
Year 2008 include: final approval by Executive Staff and distribution of the revised Compliance
Manual; receipt and review of monitoring plans and quarterly reports for top risks; completion of
the process of identifying and accumulating information for inclusion in a revised Compliance
Manual for committee members to be used in orienting new committee members and as a
resource for continuing members; completion of the update of the Management Responsibilities
Handbook; completion of a timeline that will incorporate training to be offered throughout the
campus; and continue to update the Compliance web page. Conversion of Training Post to a new
delivery method will occur when the method of delivery is determined.
Section VI – Confidential Reporting
The Institutional Compliance Program provides the following mechanisms for reporting
compliance issues: a confidential “888” hotline, an internal telephone line, and an email address
that may be accessed directly or through the Compliance website. In addition, the Compliance
Officer or Assistant Compliance Officer may be contacted directly. In practice, calls or personal
visits that initially are made to the President or other individuals in the university are transferred
to the Compliance Officer or Assistant Compliance Officer in order to expedite the review and
reporting of the call. Fifty-two compliance inquiries were reported during the 2006-2007 fiscal
year. Two inquiries were by internal hotline, thirteen by regular phone line, two in writing,
twenty-one by email, and fourteen in person. Forty-two inquiries have been resolved and ten are
under continuing review.
The composition of the compliance inquiries was as follows:
Type
Improper Use of University
Property & Resources
Human Resources
Privacy
Miscellaneous
Fiscal Reporting/Audit
Total
Number
% of Total
14
11
4
13
10
52
27 %
21
8
25
19
100%
5
All reports are handled through a three-person triage team comprised of the Compliance Officer,
Assistant Compliance Officer and Director of Human Resources. Five of the issues were referred
to the Office of General Counsel for review. One of the five was considered significant and the
System-wide Compliance Officer was appropriately notified and briefed on the issues and
resolution.
The 2007 Annual Report is submitted by:
_________________________________________________
Christopher R. Forrest, Ph.D.
Compliance Officer
Vice President for Business Affairs
_________________________________________________
W. David Watts, Ph.D.
President
Date Submitted: ___________________________________
6