Reply To: Compliance


Thank you for your responses to all of the threads and comments.

As additional direction is provided, could we submit this for consideration and revision of the Compliance section?

It appears that by policy, Internal Audit and the UNM Compliance office are solely responsible for audits and compliance:

This policy would appear to limit the scope of the current Compliance sections.

Putting aside current policy, there are operational complications that cause me the most concern. Having three separate units each with the ability to independently make compliance and audit determinations introduces the risk of confusion and delay, which will arise as ownership is hashed out among them. I suspect that such re-articulation of ownership will occur with many subsequent audits. Resource and scheduling conflicts likely result too as units (that have not regularly conducted sanctioned audits) are now expected to support audits. All of these will delay compliance efforts.

With ownership up for grabs, multiple units may see an audit as ‘theirs,’ which leads to contention, and delay again, as that gets worked out. And given a negative budget climate, I could see one unit attempting to transfer ownership of an audit to another unit in order to avoid the time commitment and cost required to conduct the audit. This observation is meant only as a general note and not as a comment on any particular UNM unit – it’s natural, when responsibility is not clearly assigned and there is a time or cost downside, for anyone to sidestep or transfer that ownership.

To avoid this potential for contention, miscommunication, and delay, perhaps the Standard language should limit the auditing department to one neutral entity: Internal Audit.

Internal Audit is the most independent, experienced, and resourced department UNM has for auditing, so it would make sense for them to serve as the clearinghouse for audit intake, fact-finding, and determination. As discussed at IT-Agents this week, our larger goal is to reduce operational inefficiencies and minimize communication issues – resolving the number of potential auditing bodies from three to one would align with this, and ultimately minimize risk for everyone.