Auditing Compliance Sideways and Up and Down, Part 2 in a 2-Part Series By Deena King
Editor’s Note: This is a follow up article to, Auditing Compliance The resulting information Sideways and Up and Down, Part 1, which was published in the from sideways audits of Winter 2017 issue. compliance with laws irst, let’s briefly review the fundamentals from Part 1, which introduced auditors to auditing for compliance and regulations and (sideways) and to eight compliance program internal from these up and down control steps derived from the Federal Sentencing Guidelines audits will give (FSG) on Effective Compliance Programs( (United States Sentencing Guidelines (USSG)) §8B2.1). These internal control management a more steps can be viewed as a process and should be found in all complete picture of what three levels of an organization—governance, management, and operations (up and down). In most institutions, these translate is happening in the into: institution’s compliance
ABOUT THE AUTHOR
Deena King is the Director of Compliance at Texas Woman’s University in Denton, TX. She is a Certified Information Systems Auditor and a Certified Compliance and Ethics Professional. Deena has over 30 years of experience in a variety of organizations, including local, state, and federal government, higher education, non-profit, utility, and for-profit. Her work with the federal government literally took her all over the world. She is the author of the book Compliance in One Page and a member of the Society of Corporate Compliance and Ethics (SCCE). Deena has also served in a variety of capacities with local ISACA and IIA boards.
• Board Oversight of Compliance
control structure across
• An Institutional Compliance Program
the organization and
• Subject-Specific Operational Compliance Programs (such from top to bottom. as for Equal Employment Opportunity (EEO), Occupational Safety and Health Administration (OSHA), the Family Educational Rights and Privacy Act (FERPA), Americans with Disabilities Act (ADA), the Health Insurance Portability and Accountability Act (HIPAA), and the National Collegiate Athletic Association (NCAA), etc.) Part 1 also pointed out how the eight internal control steps and the three levels are in harmony with both the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework Principles and The Institute of Internal Auditors Three Lines of Defense model. Part 2 now explores in more detail how to audit “up and down” for the eight internal control steps, or control activities. The resulting information from sideways audits of compliance with laws and regulations and from these up and down audits will give management a more complete picture of what is happening in the institution’s compliance control structure across the organization and from top to bottom. TESTING INTERNAL CONTROL STEPS AS CONTROL ACTIVITIES First, let’s review the first part of the COSO definition of control activities, which equate to the internal control steps cited in Part 1: Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity (Internal Control – Integrated Framework Executive Summary, COSO, May 2013). Two words in this definition are important to auditors: established and actions. Specifically, control activities need to be “established through policies and procedures.” This strongly implies
16 COLLEGE & UNIVERSITY AUDITOR
Audit Tools
F