While the University Compliance Department provides centralized oversight of the University Compliance Program, compliance is a shared responsibility among all employees, students, volunteers, employees of affiliated organizations who are paid through the University, and vendors.
The Three Lines Model, established by the Institute of Internal Auditors (IIA), serves to illustrate the leading structure for effectively managing risks. This model provides a visual to clearly identify roles and responsibilities between the various lines of defense.
Three Lines of Defense
First Line Roles: Operational Compliance Owners / Executive Leaders
First line roles are most directly aligned with the delivery of products and/or services to clients of the organization and include the roles of support functions.
Second Line Roles: University Compliance Department / Enterprise Risk Management
Second line roles provide assistance with managing risk. Second line roles may be assigned to specialists to provide complementary expertise, support, monitoring, and challenge to those with first line roles. Second line roles can focus on specific objectives of risk management, such as: compliance with laws, regulations, and acceptable ethical behavior; internal control; information and technology security; sustainability; and quality assurance.
Alternatively, second line roles may span a broader responsibility for risk management, such as enterprise risk management (ERM). However, responsibility for managing risk remains a part of first line roles and within the scope of management.
Third Line Roles: Internal Audit
Internal audit provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management. It achieves this through the competent application of systematic and disciplined processes, expertise, and insight. It reports its findings to management and the governing body to promote and facilitate continuous improvement. In doing so, it may consider assurance from other internal and external providers.
Partnerships & Responsibilities
The Audit, Compliance and Human Resources Committee of the Board of Visitors will
- Support leadership by promoting an institutional culture of ethical conduct and adherence to compliance requirements, ensuring appropriate resources to fulfill compliance requirements and expectations.
- Review the effectiveness of the system for monitoring compliance with laws and regulations and the results of management's investigation and follow-up (including disciplinary action) of any instances of noncompliance, helping enforce accountability for compliance expectations.
- Review the findings of any examinations by regulatory agencies and any other auditor observations.
- Review the process for communicating the code of ethics to university personnel and for monitoring compliance therewith.
- Obtain regular updates from management, internal audit, the compliance function, and University legal counsel regarding compliance matters.
The University Compliance Officer will establish and maintain a centralized compliance program promoting a culture of ethical conduct and adherence with compliance requirements by enhancing awareness of compliance risks and responsibilities, improving communication and coordination, monitoring and assessing compliance activities, and supporting compliance owners with their responsibilities. The Compliance Officer will exercise independent oversight of the adequacy of compliance unit activities, tracking and monitoring compliance statuses for periodic reporting to the Board of Visitors, Compliance, and Human Resources Committee.
The University Compliance Network is a network established and led by the University Compliance Officer, bringing together operational owners of compliance functions to collaboratively work together to ensure coordination of compliance activities across the institution and in accordance with the University Compliance Program.
The Vice Presidents, in collaboration with respective compliance owners, will maintain an inventory of all compliance requirements for the units within their areas. The inventories will be submitted to the University Compliance Officer, as requested, or as changes are made throughout the year. The lists inventories submitted by the Vice Presidents will be used by the University Compliance Officer to maintain the comprehensive University Compliance Matrix. Vice Presidents are responsible for enforcing accountability and should ensure that position descriptions for those employees who have been identified as responsible for meeting compliance requirements include compliance as a core responsibility that is evaluated during the annual evaluation process.
Compliance owners are responsible for managing all aspects of adherence to rules and regulations within the scope of their assigned authority, including staying updated on the ever-changing legal landscape, interpreting complex regulations, documenting and maintaining policies and procedures, promoting accountability by establishing clear objectives and lines of responsibility, providing communication and training, implementing effective strategies and controls, and tracking progress to ensure the organization's activities align with these requirements. Compliance owners shall promptly notify the University Compliance Officer of the results of regulatory findings, results of an external audit (state, federal or third-party), and results of an external regulatory inspection.