not mobile

Business Procedures Manual

16.1 Institution Audit Staff, BoR Audit Staff, State Dept. of Audits & Accounts, 3rd-Party Audits

Print friendly

Modified: July 12, 2011

Institutions of the University System of Georgia (USG) are audited regularly by the state Department of Audits and Accounts, federal auditors, the Board of Regents (BOR) Internal Audit department, and other third-party auditors.

The USG Internal Audit function is comprised of the BOR Office of Internal Audit and Compliance and institutional internal auditors.

The USG Internal Audit function exists to support the Board of Regents, system administration, and institutional administrations in meeting their governance, risk management and compliance responsibilities while helping to improve organizational and operational effectiveness and efficiency.. Internal auditing provides independent and objective assurance and consulting services to the BOR, the Chancellor, and institution leadership in order to add value and improve operations. The internal audit activity helps the University System Office (USO) and USG institutions accomplish their objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, compliance, and internal control processes.

The USG Internal Audit function conducts operational, financial and information technology assurance engagements of USG institutions and the University System Office (USO), performs system-wide reviews of specifics programs and processes, provides consulting services to the USO and to USG institutions, and conducts special reviews and investigations.

To accomplish these objectives, an internal auditor is authorized to have full, free, and unrestricted access to all property, personnel, and records to the extent permitted by law. The USG Human Resources Administrative Practices Manual ( details additional employee responsibilities pertaining to cooperating with internal audits. Internal auditors are charged to provide records in their possession the same level of protection provided by the record steward or owner. The USG Internal Audit function shall adhere to the International Standards for the Professional Practice of Internal Auditing published by the Institute of Internal Auditors, Inc..

The state Department of Audits and Accounts is charged by law to audit all state institutions. It conducts several types of audits, and provides reviews and recommendations for improving financial and management controls.

Various Federal agencies conduct audits and investigations associated with federal funds, programs, and/or regulated activities administered by USG entities. USG entities may be subject to additional third-party assurance engagements insofar as the third-party has the legal or contractual authority to conduct an assurance engagement or review. Examples are provided in Section 16.1.4.

Modified: July 12, 2011

Of the thirty-five USG institutions,twenty-two have a budgeted internal audit department. The institutional chief auditor ICA at each institution has a direct reporting relationship to the president of their institution and to the USG Chief Audit Officer (CAO). Board Policy 7.10.2 and the USG internal audit charter specifies the duties and responsibilities associated with the ICA reporting relationships. The institutional president and the CAO approve institutional audit charters. Further duties of the CAO and the ICAs are specified in the internal audit charter and in the CAO’s internal audit manual.

The ICA at each institution submits an audit plan to the USG Office of Internal Audit and Compliance (OIAC) in accordance with guidance published by the USG Chief Audit Officer. Based upon this input and a risk-based audit model, the Office of Internal Audit and Compliance develops a system-wide audit plan. The implementation of the system-wide audit plan is coordinated with the institutional internal audit plans and with external assurance providers to ensure major risks are addressed while minimizing duplication of effort and disruption of auditee operations. The USG Chief Audit Officer has the authority to direct the ICAs to audit specific functions at their institutions. Additionally, each ICA submits engagement reports to the OIAC for summary reporting to the Board and for the annual report to the BOR Committee on Internal Audit, Risk, and Compliance.

16.1.1 Institutional Audit Staff

Modified: June 26, 2013

Those institutions with a budgeted audit department include:

  • Albany State University
  • Atlanta Metropolitan State College
  • Armstrong Atlantic State University
  • Clayton State University
  • College of Coastal Georgia
  • Columbus State University
  • Dalton State College
  • East Georgia State College
  • Fort Valley State University
  • Georgia College & State University
  • Georgia Gwinnett College
  • Georgia Regents University
  • Georgia Highlands College
  • Georgia Institute of Technology
  • Georgia Perimeter College
  • Georgia Southern University
  • Georgia State University
  • Kennesaw State University
  • Middle Georgia State College
  • Savannah State University
  • South Georgia State College
  • Southern Polytechnic State University
  • University of Georgia
  • University of North Georgia
  • University of West Georgia
  • Valdosta State University

Institutional audit functions may be comprised of a dedicated audit function, a shared auditor model where one audit professional is assigned to an internal audit role at two institutions, or a regional model where an audit shop of one or more audit professionals is assigned to multiple institutions.

The ICAs meet at least annually with the USG Chief Audit Officer to discuss audits, audit findings, and other issues relevant to the USG Internal Audit function.

ICAs are responsible for performing appropriate audit procedures to verify corrective action of each issue rated material within sixty (60) days of the issue being reported as closed/resolved by the institution’s management. OIAC auditors shall verify corrective action for those institutions without an institutional internal audit function.

16.1.2 Board of Regents Audit Staff

Modified: July 12, 2011

The USG OIAC supports the Board of Regents, system administration, and institutional administration in the effective discharge of their responsibilities. The OIAC is responsible for providing an objective appraisal of the University System’s governance, risk management, compliance and control activities as well as providing advisory services for management throughout the USG.

The USG Chief Audit Officer reports directly to the Chancellor and indirectly to the BOR Committee on Internal Audit, Risk, and Compliance (Committee).

16.1.3 State Department of Audits and Accounts

Modified: July 12, 2011

The Department of Audits and Accounts, as part of the legislative branch of state government, is the external independent auditor of the University System. The Department of Audits and Accounts conducts financial audits, compliance audits, performance audits, and vulnerability assessments or reviews and makes recommendations for improving financial and management controls within the USG. The Department of Audits and Accounts reviews USG’s internal control structure and operations to determine the scope of the examination and reliability of the entity’s financial data. The internal audit function contributes to the internal USG control structure with its emphasis on monitoring and oversight.

Current state law per Georgia Title 50-6-3 states:

The Department of Audits and Accounts shall audit all state institutions. No official of the state shall have authority to employ or hire any other auditing agency.

Georgia Title 50-6-6 states in part:

It shall be the duty of the Department of Audits and Accounts to thoroughly audit and check the books and accounts of…the several units of the University System of Georgia.

Final reports are copied to the Vice Chancellor for Fiscal Affairs, the USG Chief Audit Officer, and the pertinent BOR Committee Chairs. ICAs, or OIAC auditors for institutions without CIAs, perform appropriate audit procedures to verify that corrective action has taken place for all material weaknesses.

This verification should be performed for each material weakness no later than sixty (60) days after the material weakness has been reported as closed/resolved by institution management. Any unfavorable exceptions are reported to the OIAC and the Vice Chancellor for Fiscal Affairs.

16.1.4 Third-Party Audits

Modified: July 12, 2011

Third-party audits may be conducted by various audit agencies. These agencies may include, but are not limited to:

  • Defense Contract Audit Agency
  • Georgia Department of Administrative Services Process Improvement
  • Georgia Student Finance Commission
  • Health and Human Services (HHS)
  • Internal Revenue Service
  • Medicare and Medicaid Audits
  • Office of Inspector General (Georgia)

It is the responsibility of local institution officials, either the campus auditor or, if none exists, the chief business officer (CBO), to be cognizant of third-party audits and associated issues. Institutional management shall notify the ICA, OIAC, and the Vice Chancellor for Fiscal Affairs of any third-party audits and shall provide a copy of a final audit report.

Modified: July 12, 2011

The USG Office of Internal Audit and Compliance conducts various types of engagements to include assurance engagements, consulting engagements, and special reviews or investigations. Engagement scope is determined by the USG Chief Audit Officer in consultation with auditee management. Potential engagement scopes are summarized below.. Some engagements may comprise more than one engagement type, e.g., a blend of assurance and consulting work.. Institutional auditors may conduct engagements comparable in scope to the engagements listed in Section 16.2.1. However, the actual engagements performed will be determined by the audit plan approved for that institutional auditor.

16.2.1 Potential Engagement Scope

Modified: July 12, 2011

The scope of internal auditing encompasses the examination and evaluation of the adequacy and effectiveness of the organization’s system of governance, risk management, compliance, internal control and the quality of performance in carrying out assigned responsibilities. The scope will vary by institution or area and may include:

  • Review the effectiveness of governance processes to include the:
    • Promotion of ethical behavior within the organization;
    • Efficiency of organizational performance management and accountability;
    • Communication of risk and control information to appropriate areas of the organization; and,
    • Coordination of activities and information among the Board, external and internal auditors, and management.
  • Review the effectiveness of risk management processes to include the:
    • Alignment of organizational objectives in support of the USG and institutional missions;
    • Identification and assessment of significant risks;
    • Alignment of risk responses with the USG’s risk appetite; and,
    • Capturing and communication of relevant risk information across the USG and its institutions so as to enable staff, management, and the Board to carry out their responsibilities.
  • Review the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.
  • Review the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on operations and reports and whether the entity is in compliance with those systems.
  • Review the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
  • Review and appraise the economy and efficiency with which resources are employed.
  • Review operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
  • Review the status of Information Technology policies and procedures, verifying that required hardware, software and process controls have been implemented and that the controls are functioning properly.
  • Conduct special audits at the request of the Committee Chair, the Chancellor or institution presidents.
  • Investigate reported occurrences of fraud, embezzlement, theft, waste, and other instances of malfeasance and recommend controls to prevent or detect such occurrences.
  • Analyze and review public private ventures undertaken by the USG, USG institutions, and USG cooperative organizations.
  • Provide consulting services at the request of institution management and with the CAO’s approval consistent with the IIA standards governing consulting engagements. Consulting engagements undertaken by the OIAC should have the potential to contribute to the improvement of governance, risk management, compliance, and/or internal controls within the USG or within a USG institution.
    • Institutional auditors do not require CAO approval to conduct consulting engagements requested by management. However, significant changes to the institutional audit plan do require approval as noted in Section 16.3.1.

Modified: July 12, 2011

The engagement process begins with the development of the audit plan, and ends with the issuance of the final report and any follow-up of significant and material audit exceptions. The engagement process used by the USG Office of Internal Audit and Compliance (OIAC) is shown below.

16.3.1 Rolling Audit Plan

Modified: July 12, 2011

Internal audit professional standards mandate an audit risk assessment and audit plans. OIAC will meet these professional standards through maintaining a rolling risk assessment that supports a near-term/one to five months, medium-term/six to ten months, and long-term/eleven to fifteen months and beyond audit plan. The OIAC risk assessment will focus on issues that present a high degree of risk to the USG and/or USG institutions. We will identify these issues through:

  • collecting information from multiple sources, analyses, and measures;
  • fusing collected information into potential risks; and,
  • assessing potential risks by likelihood, impact, and breadth.

The OIAC risk assessment will be ongoing and will include input from the Board of Regents (BOR), USG and institutional leadership, the OIAC Audit Advisory Committee, and other sources as appropriate. Issues presenting a high degree of risk will be further analyzed to determine which internal audit engagement best addresses the identified risk. Engagements may be pursued at the system-level or at an institutional-level. The USG Chief Audit Officer (CAO) will periodically present the rolling audit plan for approval to the BOR Committee on Internal Audit, Risk, and Compliance (Committee). The USG CAO is authorized to revise the rolling audit plan but shall inform the Committee of any significant changes. The USG CAO shall provide written notification to auditees that the institution/audit area has been included on the rolling audit plan.

Institutional Chief Auditors (ICAs) may conduct either annual or rolling risk assessments and audit plans. The USG CAO shall issue guidance for use in preparing institutional audit plans in February of each year. ICAs shall submit a narrative describing the risk assessment process, the list of identified risks, and the institutional audit plan for review and compilation by the USG CAO. The USG CAO shall submit the compiled institutional audit plans for approval by the Committee. The ICA (with the authorization of the USG CAO) is authorized to revise institutional audit plans. Minor revisions to institutional audit plans do not require approval by the USG CAO. The USG CAO shall inform the Committee of any significant changes.

16.3.2 Engagement Preliminary Assessment, Scheduling and Notification

Modified: July 12, 2011

Auditee management is contacted at least sixty (60) days prior to the intended start of an engagement in order to schedule a preliminary assessment. The preliminary assessment consists of an initial visit by OIAC staff in order to determine potential engagement areas. The preliminary assessment relies heavily on input from institutional management in order to craft a value-added engagement. The preliminary assessment team shall engage the auditee or client in a discussion on the nature of any opinion to be rendered by the OIAC,

A formal engagement letter, to include the engagement scope, is sent to the institution president (for institutional engagements) or to the senior executive responsible for an activity (for USO and USG-wide engagements) at least thirty (30) days prior to the engagement. The letter also details specific information needed for the engagement and any logistical assistance that might be required.

The auditee or client is responsible for identifying a representative to serve as the engagement team’s primary contact while on campus. The auditee or client also identifies a key contact person for each function reviewed. The engagement team leader schedules and facilitates an opening conference with the auditee or client senior management.

Consulting engagement planning shall also include development of a consulting charter. Office of Internal Audit and Compliance consulting charters should be approved by the USG Chief Audit Officer and the consulting client. Consulting charters shall minimally address engagement objectives and deliverables.

16.3.3 Conducting the Engagement

Modified: July 12, 2011

Information obtained during the course of the engagement provides the documented basis for the engagement team’s opinions, observations, and recommendations expressed in the engagement report. Auditors are obligated by professional standards to act objectively, exercise due professional care, and collect sufficient, competent, relevant, and useful information to provide a sound basis for engagement observations and recommendations.

Sampling may be used to test less than 100 percent of a population. In sampling, the engagement team accepts the risk that some or all errors will not be found and the conclusions drawn may be wrong. The type of sampling used and the number of items selected should be based on the engagement team’s understanding of the relative risks and exposures of the areas reviewed.

Engagement work performed is documented in working papers. Information included in the working papers should be sufficient, competent, relevant, and useful to provide a sound basis for engagement observations and recommendations. Working papers may include schedules and analyses, documents, write-up, and flow charts. Evidential matter may also be obtained through interviews and observations.

Upon the conclusion of the fieldwork, the engagement team summarizes the engagement observations, conclusions, and recommendations necessary for preparation of the engagement report draft discussion.

16.3.4 End of Engagement Review

Modified: July 12, 2011

At the conclusion of the fieldwork, the engagement team meets with the auditee’s or client’s management team to discuss observations and recommendations. At this time, the auditee or client comments on observations and recommendations, and any inaccuracies or impractical recommendations are resolved to the extent possible.

16.3.5 Exit Conference

Modified: July 12, 2011

At the conclusion of the end of engagement review, the engagement team develops a discussion draft that details the engagement executive summary, background, issue ratings (for assurance engagements), engagement observations, and recommendations. This discussion draft is shared with the auditee or client management prior to conducting an exit conference. At the exit conference, the engagement team reviews the discussion draft with management and any disagreements are resolved to the extent possible.

16.3.6 Closing the Engagement

Modified: July 12, 2011

After the exit conference, the engagement team prepares a final draft, taking into account any revisions resulting from the exit conference and other discussions. When changes have been reviewed by OIAC management, along with an evaluation of the auditee’s or client’s written responses for inclusion in the final report, the report is issued.

The USG Chief Audit Officer’s approval is required for release of all OIAC reports. Institutional engagement reports must be submitted to the OIAC. All significant issues and material issues are summarized for reporting to the BOR Committee on Internal Audit, Risk, and Compliance.

16.3.7 Follow-Up Review

Modified: July 12, 2011

Follow-up is required of all audit issues classified as significant or material. Each material issue reported as closed/resolved by institution management shall be reviewed by the ICAs or the OIAC within sixty (60) days of the issue being reported as closed. Significant issues may be reviewed after being reported as closed but this review is not required. The actions taken to resolve the issues are reviewed and may be tested to ensure that the desired results were achieved. In some cases, managers may choose not to implement an issue recommendation and to accept the risks associated with the audit issue. The follow-up review will note this as an unresolved exception. The USG Chief Audit Officer shall periodically report the status of audit issues to the Committee to include the status of issues not closed in a timely manner.

Open or partially resolved State, OIAC and institution audit findings are maintained in the USG Internal Audit function enterprise system. Auditee management, such as the chief business officer or the ICA, update the status of each issue in the USG Internal Audit function enterprise system on at least a quarterly basis.

16.3.8 Exception Ratings

Modified: July 12, 2011

Individual ratings are assigned to each assurance engagement observation contained in reports issued by the OIAC. ICAs may choose not to publish observation ratings but shall assign ratings to observations in the USG Internal Audit function enterprise system. ICAs shall use the USG Internal Audit rating system insofar as ICAs elect to publish observation ratings. All issues would be included in the audit report but “Comments” would not be presented in a full audit finding format. The scales for the USG Internal Audit rating systems are listed below.

Report Item Rating Scale

  • Advisory
    • Categorized by area reviewed
    • Used to identify recommendations contained in a consulting engagement report
  • No Issue
    • Engagement Team did not identify any reportable issue
    • Included in report and tracked in USG Internal Audit function enterprise system.
  • Comments
    • Nominal or minor violations of procedures, rules, or regulations.
    • Minor opportunities for improvement.
    • Not included in report but are tracked in USG Internal Audit function enterprise system.
    • Corrective action suggested verbally, but not required.
  • Significant
    • Significant violation of policies and procedures, and/or weak internal controls.
    • Significant opportunity to improve effectiveness and efficiency.
    • Significant risk identified.
    • Corrective action required.
  • Material
    • Material violation of policies/procedures/laws, and/or unacceptable internal controls, and/or high risk for fraud/waste/abuse, and/or major opportunity to improve effectiveness and efficiency.
    • Material risk identified.
    • Immediate corrective action required.

16.3.9 State Department of Audits and Accounts Report Ratings

Modified: July 12, 2011

The state Department of Audits and Accounts (DOAA) periodically communicates the results of DOAA audits to those charged with governance as required by DOAA professional standards. DOAA audit results also may be summarized in OIAC communications.

Material weaknesses and significant deficiencies identified by DOAA auditors and the associated corrective action plans are also tracked in the USG Internal Audit function enterprise system. USG and institutional management shall update the status of corrective action plans associated with DOAA findings on at least a quarterly basis. The OIAC shall coordinate with the State Accounting Office (SAO) to update the status of corrective action plans as tracked by the SAO using data submitted by USG institutions. OIAC’s submittal of institutional data does not imply ownership of the institutional findings or validation of management’s reported status.

Modified: November 14, 2014

The USG is committed to the highest ethical and professional standards of conduct in pursuit of its mission to create a more educated Georgia. This mission demands integrity, good judgment and dedication to public service from all members of the USG Community. USG employees have an affirmative duty to report wrongdoing in a timely manner and to refrain from retaliating against those who report violations or assist with authorized investigations. The USG also is committed to preventing and detecting fraud, waste, abuse, and other forms of wrongdoing and taking action when wrongdoing occurs. It is the policy of the USG to refer all criminal acts to law enforcement for investigation.

16.4.1 Conduct to Report

Modified: November 13, 2014

Wrongdoing is defined under this policy as violations of USG policies, state or federal law, violations of ethical and professional conduct and fraud, waste or abuse. Examples of wrongdoing include, but are not limited to: USG Code of Conduct violations, discrimination, harassment, research misconduct, academic misconduct and privacy violations. Fraud, waste and abuse are defined further as follows:

Fraud: A false representation of a matter of fact that is intended to deceive another. A fraudulent act may be illegal, unethical, improper, or dishonest and may include, but is not necessarily limited to:

  • Embezzlement
  • Misappropriation
  • Alteration or falsification of documents
  • False claims
  • Asset theft
  • Inappropriate use of computer systems, including hacking and software piracy
  • Bribery or kickbacks
  • Conflict of interest
  • Intentional misrepresentation of facts

Waste: The expenditure or allocation of resources in excess of need that is often extravagant or careless.

Abuse: The intentional, wrongful, or improper use of resources. Abuse may be a form of wastefulness, as it entails the exploitation of “loopholes” to the limits of the law, primarily for personal advantage.

16.4.2 Where to Report

Modified: November 13, 2014

Events presenting an immediate threat to life or property or that are obvious criminal acts should be reported to law enforcement. Employees should report other wrongdoing or concerns through the administrative processes and procedures established by their institutions and the USG. Unless otherwise indicated or circumstances make it inappropriate, employees should report wrongdoing through their supervisory chains. Other reporting avenues, however, are always available, including the institution’s internal audit department, the human resources department, the office of legal affairs and the corresponding departments at the University System Office, which include the internal audit department, the human resources department and the office of legal affairs. Wrongdoing and concerns also can be reported anonymously on the Ethics and Compliance Reporting Hotline, which is available 24 hours a day, 7 days a week at:

16.4.3 Protection against Retaliation - Whistleblower Protection

Modified: November 13, 2014

Protections Afforded: USG employees may not interfere with the right of another employee to report concerns or wrongdoing, and may not retaliate against an employee who has reported concerns or wrongdoing, has cooperated with an authorized investigation, has participated in a grievance or appeal procedure, or otherwise objected to actions that are reasonably believed to be unlawful, unethical or a violation of USG policy. Violations of this policy may result in disciplinary action, which may include the termination of employment.

Conduct Prohibited: Retaliation is any action or behavior that is designed to punish an individual for reporting concerns or wrongdoing, cooperating with an investigation, participating in a grievance or appeal procedure or otherwise objecting to conduct that is unlawful, unethical or violates USG policy. Retaliation includes, but is not limited to, dismissal from employment, demotion, suspension, loss of salary or benefits, transfer or reassignment, denial of leave, loss of benefits, denial of promotion that otherwise would have been received, and non-renewal.

Written Procedures: Each institution shall maintain written procedures for receiving and investigating allegations of actions that violate the USG’s policy prohibiting retaliation. Violations of this policy should be reported through the administrative processes and procedures established by each institution. Alleged retaliation by an employee assigned to the University System Office should be reported to the Vice Chancellor for Human Resources.

False Reports / False Information: This policy does not protect an employee who files a false report or who provides information without a reasonable belief in the truth or accuracy of the information. Any employee who knowingly files a false report or intentionally provides false information during an investigation may be subject to disciplinary action, which may include the termination of employment.

16.4.4 Investigation of Malfeasance

Modified: November 13, 2014

Malfeasance is any conduct or act carried out by a public official that cannot be legally justified or conflicts with the law including, but not limited to, fraud, waste, and abuse. The USG Office of Internal Audit and Compliance has the primary obligation for investigating reported malfeasance involving the University System Office, institutional senior administrators, and institutions without an institutional internal auditor. Institutional internal audit departments have the primary obligation for malfeasance investigations at institutions.

The internal audit departments at both the institution and the University System Office may contact other departments, including the office of legal affairs and the department of public safety, to establish the necessary team to proceed with the review or investigation. The investigative team will attempt to keep source information as confidential as possible.

16.4.5 Malfeasance Reporting

Modified: November 13, 2014

Incidents involving suspected criminal malfeasance by an employee must be reported to the USG Chief Audit Officer once an initial determination has been made that employee malfeasance may have occurred. Malfeasance reports should be marked confidential and submitted in draft form. Malfeasance reports should include:

  • Institution’s name and point of contact , including the email address and phone number;
  • Description of the incident, including the incident time, date, location, improper activity, and estimated loss to the institution (if any);
  • Known suspect information, including the employee name, title, employment status (administrative leave, pending termination, etc.), and supervisor’s name; and,
  • Current case status, including law enforcement involvement and the results of any internal audit investigation.

The USG Chief Audit Officer, in consultation with the USG Office of Legal Affairs, shall transmit employee malfeasance reports to the Georgia Department of Law. The transmittal letter shall include an incident summary and may include a recommendation as to whether to pursue further investigation.

16.5.1 Purpose

Modified: November 13, 2014

The Ethics and Compliance Reporting Hotline was implemented in January 2008 as part of a comprehensive ethics and compliance program that was designed to promote the highest standards of ethical and professional conduct within the USG. The hotline allows concerns to be reported confidentially by phone or on-line. The hotline is administered by a third party vendor that provides for confidential communication. The hotline does not replace existing reporting mechanisms, including reporting concerns to an employee’s supervisor, but rather serves as an additional reporting option. Each institution has a hotline web address and a telephone number assigned to it. A list of the web address and telephone number for each institution can be accessed from the following web address:

16.5.2 Procedures

Modified: November 13, 2014

This policy sets forth the minimum requirements for the administration of each institution’s Ethics and Compliance Reporting Hotline. Other institutional or USG policies may provide further guidance relating to allegations of specific conduct, such as sexual harassment, academic misconduct, poor work performance, and conflicts with other employees.

16.5.3 Implementation

Modified: November 13, 2014

To implement this policy, each institution shall document its procedures for receiving, investigating and resolving hotline reports. The Ethics and Compliance Reporting Hotline is an additional method of reporting concerns and wrongdoing, but does not replace existing processes for investigating and resolving reports of wrongdoing. As such, a policy for receiving and reviewing specific allegations of misconduct already may be in place at each institution. Reports received on the hotline do not require institutions to establish a duplicate process for investigating such concerns or wrongdoing. The procedures established at each institution, however, must comply with the provisions of this policy.

16.5 4 Administration and Responsibility for the Ethics and Compliance Hotline

Modified: November 13, 2014

The president of each institution shall appoint an administrator who will serve as the Ethics and Compliance Reporting Hotline Coordinator. Each USG institution is encouraged to establish a triage committee to review and manage reports received on the hotline. Triage committee members may include representatives from internal audit, the office of legal affairs, compliance, human resources, public safety/campus police, information security or other functions at the discretion of the institutional president. However, all reports received regarding potential fraud, waste and abuse must be provided to the internal audit department.

If a triage committee is established, it is this committee’s responsibility to monitor the institutional Ethics and Compliance Reporting Hotline and to ensure appropriate remediation of hotline issues. Absent a formal triage committee, the Hotline Coordinator is responsible for ensuring compliance with this section. Issues involving members of the triage committee or institutional executive management shall be referred to the USG Office of Internal Audit and Compliance for remediation and/or investigation.

16.5.5 Confidentiality

Modified: November 13, 2014

All employees involved in the process of receiving and investigating reports of wrongdoing must exercise due diligence and reasonable care to maintain the integrity and confidentiality of the information received. All USG employees must ensure they comply with state and federal laws regarding whistleblower protection.

16.5.6 Investigative Processes

Modified: November 13, 2014

A. Evaluation: Each institution will include in its written procedures, a process for evaluating and resolving complaints received on the hotline, assigning a case manager, establishing and maintaining communications with all appropriate parties, establishing an estimated timeframe for the resolution of reports received, and ensuring that cases are properly documented and closed. The evaluation process shall also include determining if the concerns raised in the report should be directed to a particular supervisor for remediation or to a department or office for investigation in accordance with previously established policies and procedures of the institution.

B. Case Manager: A case manager will be assigned to all hotline reports received. The case manager will be responsible for the proper handling of the case, including determining if the case should be directed to a department or office in accordance with previously established policies and procedures, the assignment of additional investigators (if needed), conducting interviews, documenting all relevant information in the case file, ensuring that timely communication is maintained with all appropriate parties, including the reporter and the accused, ensuring that any required corrective action is taken, and closing the case in the hotline software in a proper and timely manner. If a case is directed to another department or office for remediation, the case manager maintains the responsibility to ensure the case is properly resolved, that appropriate communication is maintained with all parties and for closing the case on the hotline software.

C. Communication with the Reporter / Complainant: A response to the reporter / complainant shall be made within two (2) business days of the receipt of the hotline report that, at a minimum, acknowledges receipt of the report. The reporter also may be asked to provide additional details to assist in evaluating and resolving the matter reported. The reporter shall be kept informed of the status of the investigation and shall be notified concerning the resolution of the case and the action taken.

D. Communication with Named Persons: Named persons alleged to have committed a violation shall be notified of the allegations made and shall be kept informed of the status of the investigation. Notification shall be made at the time and to the extent that the case manager determines that it will not affect the integrity of the investigation.

E. Corrective Action: Any recommended corrective action pertaining to USG employees will be taken by or coordinated with the institution’s Human Resources Department. Corrective action includes, but is not limited to, recommended training, retraining, counseling, reprimands, suspensions and the termination of employment, consistent with the institution’s progressive discipline policy and other applicable Board and human resources policies.

F. Closing the case: Once all necessary investigative acts have been completed and properly documented, the administrative process to properly and promptly close the case must be completed, which shall include, at a minimum, notifying the reporter/ complainant, documenting the resolution and action taken, and making the required entries on the hotline software in a manner that the date on which the case is closed is properly documented.

16.5.7 Tracking and Analyzing Reports

Modified: November 13, 2014

Each institution shall analyze, track and monitor reports to identify trends or problem areas. Updates regarding the number and types of cases shall be provided by the University System Office to the Board of Regents.

16.5.8 Access to the Ethics and Reporting Hotline and Other Reporting Processes

Modified: November 13, 2014

A. On-Line Link to Ethics and Compliance Reporting Hotline: Each institution shall provide an on–line link to its Ethics and Compliance Reporting Hotline on the home page of the institution’s website or other prominent location accessible by employees, students, and the public.
B. Additional Reporting Contact Information: Each institution is encouraged to publish all of the reporting options pertaining to that institution’s processes and procedures on one web page. Further, each institution is encouraged to provide a listing of alternative reporting contacts for suspected wrongdoing that is widespread, or concerns the USG System as a whole. The additional reporting contacts should include but are not limited to the following:

  1. The Ethics and Reporting Hotline for the University System Office
  2. The USG Chief Audit Officer
  3. The USG Legal Affairs Office
  4. The USG Director of Ethics & Compliance

Modified: November 13, 2014

↑ Top