If your institution will have a Compliance
Committee, I would consider involving them
in both of these reviews. It should get them
interested and engaged in the program.
Finally, perhaps it goes without saying,
but I would also include in Tier 1 any obvious
and known risk (e.g., wait, we don’t have a
Title IX program?!).
2. Tier 2: Mid-level compliance risk review:
Understanding how your campus is currently
managing various compliance areas/risks
Early in the program, Compliance should
meet with the individuals responsible for
each of the functional compliance areas to
assess the basic function and risk in that
area. It is important that these meetings be
productive and perhaps slightly provocative.
You want to get beyond “what keeps you
up at night” and really probe into policies,
practices, and hot topics.
It is important that you prepare for these
meetings, and that cannot be overstated.
You are speaking to a subject-matter expert
about their own area of expertise, so to be
effective you should be both knowledgeable
and respectful. Your goal is to understand
the basic program and the risk, while
demonstrating that you are knowledgeable,
curious, and someone who understands
· Make sure you read any available policies
or procedures on the area.
· Consult with your Internal Audit and
Legal departments ahead of time and ask
about their concerns in the compliance
area (and get copies of reports, if you can).
· Read the news and any recent
government reports/memos. You must be
aware of what is going on in their world.
· Be positive and friendly, and use words
like we and ours (instead of you and
yours) to communicate that you are part
of the team and the solution.
3. Tier 3: The detailed compliance
It is likely in any governmental review or audit
that the auditor will have a long checklist of
specific requirements. As such, it is important
that Compliance (in conjunction with Internal
Audit and others) review the university’s
performance against individual regulations.
Obviously, this type of detailed compliance
review is time consuming, but nevertheless
it is important to review every area at a
detailed level, at least periodically. One way to
simplify the process is to have the functional
compliance area do a regulatory self-review
and present it to Compliance (or perhaps the
Compliance Committee). Compliance will then
use this self-review as the basis for further
review. Make sure they include citations and
Sample tier 2 questions that are better than
“What keeps you up at night?”
-;Do we have a policy? Is our policy up to
date? Do you follow that policy? Do other
people follow that policy? Should that policy
-;Do you get the support you need from other
-;Do we train on that? Do you have a record of
that training? Is it accurate?
-;Has the government (or relevant authority)
reviewed us on this? How did we do (and
please send me the report)? Do you think we
are ready for a government audit/review in
-;When the government did X recently, how did
-;University X just got fined/bad press for this,
can that happen here? How do we ensure that