- This topic has 7 replies, 3 voices, and was last updated 8 years, 8 months ago by darruti.
-
AuthorPosts
-
-
March 29, 2016 at 1:54 pm #633ccovey01Participant
It seems like we’re really talking about enforcement here, so not sure the boilerplate used for each standard is sufficiently detailed.
• Will audits become routine?
• How is an audit started, and by whom?
• Is there a punitive aspect?
• What is the remediation process?
• Will a department, or staff, be punished for being out of compliance?The level of enforcement within each standard should be very clear, and I would suggest that communications to our wider UNM audience should note any enforcement mechanisms that are in place – otherwise, they might conclude incorrectly that these standards ‘don’t apply to me or my unit.’
-
March 30, 2016 at 9:14 am #642darrutiParticipant
Hi Chad,
Those details still need to be established and vetted. The language currently reads:
“This standard has been developed under and is subject to all UNM policies, some of which are cited in the
References. The UNM Administration, Internal Audit, or UNM IT may determine the compliance of departmental
support approaches with this standard.”No additional conversations have taken place to my knowledge, and we don’t anticipate pursuing those details further until we get additional direction from senior administration.
-
March 30, 2016 at 9:33 am #643cdeanParticipant
Additionally, I believe there needs to be an appeal process that is clearly defined and articulated.
-
March 31, 2016 at 9:49 am #660darrutiParticipant
Cyndi,
When you mention appeals, what are your thoughts? Are you talking about If there is a difference of opinion in whether standards are being appropriately met?
-
March 31, 2016 at 12:18 pm #664cdeanParticipant
Duane,
Yes, that’s what I mean. The 2009 AD standard states “The ADTC evaluates and makes recommendations on requests for exceptions to this standard. The Office of the CIO is the only entity that can grant exceptions to this standard and will do so only after consultation with and recommendation of the ADTC.” Of course, there is no ADTC these days but I use that only as an example.
Quite frankly. even though I chaired that work group for quite a long time and was part of generating the standard, I was never comfortable with having the Office of the CIO as the “only entity that can grant exceptions” to the standard. I would find similar language related to an appeal process troubling if the only body who could determine if a standard is being met is a non-neutral party. I would suggest a formal appeals process be implemented, similar to other appeals process on campus (see, for example, the layers of appeal defined in UAP 3220 Dispute Resolution).
Cyndi
-
March 31, 2016 at 1:53 pm #669darrutiParticipant
Got it! Thanks.
-
April 14, 2016 at 1:52 pm #698ccovey01Participant
Duane,
Thank you for your responses to all of the threads and comments.As additional direction is provided, could we submit this for consideration and revision of the Compliance section?
It appears that by policy, Internal Audit and the UNM Compliance office are solely responsible for audits and compliance: http://policy.unm.edu/regents-policies/section-7/7-2.html
This policy would appear to limit the scope of the current Compliance sections.
Putting aside current policy, there are operational complications that cause me the most concern. Having three separate units each with the ability to independently make compliance and audit determinations introduces the risk of confusion and delay, which will arise as ownership is hashed out among them. I suspect that such re-articulation of ownership will occur with many subsequent audits. Resource and scheduling conflicts likely result too as units (that have not regularly conducted sanctioned audits) are now expected to support audits. All of these will delay compliance efforts.
With ownership up for grabs, multiple units may see an audit as ‘theirs,’ which leads to contention, and delay again, as that gets worked out. And given a negative budget climate, I could see one unit attempting to transfer ownership of an audit to another unit in order to avoid the time commitment and cost required to conduct the audit. This observation is meant only as a general note and not as a comment on any particular UNM unit – it’s natural, when responsibility is not clearly assigned and there is a time or cost downside, for anyone to sidestep or transfer that ownership.
To avoid this potential for contention, miscommunication, and delay, perhaps the Standard language should limit the auditing department to one neutral entity: Internal Audit.
Internal Audit is the most independent, experienced, and resourced department UNM has for auditing, so it would make sense for them to serve as the clearinghouse for audit intake, fact-finding, and determination. As discussed at IT-Agents this week, our larger goal is to reduce operational inefficiencies and minimize communication issues – resolving the number of potential auditing bodies from three to one would align with this, and ultimately minimize risk for everyone.
-
April 20, 2016 at 11:09 am #711darrutiParticipant
Hi Chad,
Thank you also for sharing your insight as we move forward. You have good points and great questions, and I know we will have a better product because of it. Clarifying compliance will be a very important aspect of the standard – I agree with you wholeheartedly and the Internal Audit and Compliance policy is the right reference. To your point, the “Authority” section indicates: “The Compliance Office is authorized to: 1. Obtain the necessary assistance of personnel involved in compliance activities. To this end, the Chief Compliance Officer shall identify a network of compliance partners who have expertise in specific compliance areas.” Internal Audit is specifically mentioned in the current draft, although not specifically determined as the group that will ensure compliance. As the language and approach mature, we will make sure to incorporate the Compliance Office and other aspects of the policy as well. As mentioned above, we will need additional direction from senior administration before the Compliance approach can be determined – it will not be a UNM IT decision.
-
-
AuthorPosts
- The topic ‘Compliance’ is closed to new replies.