Frequently Asked Questions

Organizational Compliance 101

What is Compliance?

Compliance - sometimes referred to as organizational or institutional compliance -  is a framework for facilitating adherence to federal and state laws and policies that govern the organization and for promoting ethical and lawful decision-making and conduct on the part of the organization’s employees. At the UNT System Administration, this includes incorporating the System’s ethics and standards of conduct, and its values into daily operations; knowing and following the laws and policies that affect these operations; educating ourselves on the functions we perform that can expose the System Enterprise to legal and regulatory repercussions; and devoting time and other resources to preventing and detecting violations of law and policies that give rise to risks associated with failing to comply with these laws and policies (i.e. “compliance risks”). 

Where did institutional compliance originate?

High-profile scandals in the 1970s and 1980s highlighted the widespread practice of companies bribing politicians and government officials. In 1991, the Federal Sentencing Guidelines were promulgated in an attempt to bring greater consistency in sentencing, including sentencing organizations that were convicted of violating federal law.

See Pew Research Center. Public Trust in Government: 1958-2024. https://www.pewresearch.org/politics/2024/06/24/public-trust-in-government-1958-2024/

What is the purpose of the Federal Sentencing Guidelines?

The Guidelines: (1) incentivize organizations to self-police their corporate behavior; (2) provide guidance on effective compliance and ethics actions organizations can take to demonstrate a good-faith effort to self-police; and (3) hold organizations accountable based on defined culpability factors.

The organizational sentencing guidelines have wielded significant influence on corporate America…designed to incentivize corporate self-policing through its ‘carrot and stick’ philosophy…it has ‘catalyzed vigorous efforts by companies to promote ethical performance and reduce organizational misconduct.

See United States Sentencing Commission. “The Organizational Sentencing Guidelines: Thirty Years of Innovation and Influence. August 2022.

Do public agencies and universities need compliance programs?

High-profile scandals over the decades, such as ABSCAM and Iran-Contra, demonstrate why organizational compliance, accountability and responsibility is not limited to the private sector.

What is the benefit of having an institutional compliance program?

Compliance programs foster compliance with the law, which contributes to an organization’s effectiveness and mission accomplishment, including by eliminating the disruption and diversion of resources resulting from investigations into suspected misconduct.  Practically, when determining whether to prosecute an organization for criminal conduct, the Department of Justice considers the “adequacy and effectiveness of the corporation’s compliance program” both at the time of the alleged conduct and at the time the federal government is deciding whether to prosecute. See DOJ Justice Manual 9-28.000 - Principles of Federal Prosecution of Business Organizations.

Is the UNT System Administration required to have a compliance program?

UNT System Regulation 02.1000 requires each component of the System Enterprise to have a compliance program that is designed to prevent and detect violations of law and policies; and that encourages all employees and individuals acting on behalf of the System to conduct themselves lawfully, honestly and with integrity, including preventing retaliation against individuals who make good faith reports of suspected misconduct. 

What can happen if the UNT System Administration does not have an effective compliance program?

An organization’s employees can be sentenced to prison for violating certain federal and state laws. While organizations cannot be sent to prison, they can be prosecuted, fined, ordered to make restitution, and prohibited from receiving federal and state funds. The U.S. Department of Justice has made it clear that the prosecution of organizational criminal conduct “is a high priority.”  See “Overview of Organizational Guidelines” and DOJ JM9-28.800.

How does an organization know when it has an effective compliance program?

The Federal Sentencing Guidelines expect compliance programs to have eight components:

  1. Standards and procedures reasonably capable of reducing the prospect of criminal activity
  2. Oversight by high-level personnel
  3. Due care in delegating substantial discretionary authority
  4. Effective communication to all levels of employees
  5. Reasonable steps to achieve compliance, which include systems for monitoring, auditing and reporting suspected wrongdoing without fear of retaliation
  6. Consistent enforcement of compliance standards including disciplinary mechanisms
  7. Reasonable steps to respond to and prevent repeated violations once a violation is detected
  8. Promotion of an organizational culture that encourages a commitment to compliance and the law

When determining whether an organization’s compliance program is effective, the U.S. Department of Justice asks three “fundamental” questions:

  1. Is the compliance program well designed?
  2. Is the compliance program adequately resourced and empowered to function effectively?
  3. Does the organization’s compliance program work in practice?

See DOJ Criminal Division. “Evaluation of Corporate Compliance Programs.” Updated March 2023.

What does an effective compliance program look like in practice?

In 2005 the U.S. Department of Health and Human Services Office of the Inspector General published seven tangible requirements that a program must demonstrate in order to be effective:

  1. Written policies and procedures
  2. Compliance leadership and oversight
  3. Training and education
  4. Effective lines of communication
  5. Enforcement of Standards: incentives and consequences
  6. Risk assessments, audits, and monitoring
  7. Prompt response to detected violations and corrective action

See U.S. Department of Health and Human Services Office of the Inspector General. “General Compliance Program Guidance.”

 

Reporting Suspected Wrongdoing by Speaking Up

What should I do if I suspect wrongdoing?

An employee or individual authorized to act on behalf of the UNT System who reasonably believes a System employee’s or vendor’s conduct violates law, Regents Rule, System Regulation, or policy is expected to speak up and report the suspected wrongdoing.  Other individuals are encouraged to report suspected wrongdoing.

Why should I Speak Up?

Speaking up when we observe conduct that is not in the best interest of our UNT System community is a form of engagement. Speaking up also models exceptional standards by holding ourselves and others accountable.

Where can I Speak Up about suspected wrongdoing?

Suspected wrongdoing can be reported in several ways, including anonymously:

  1. Notify your supervisor unless your supervisor is the person suspected of the wrongdoing.
  2. Notify the UNT System Administration Compliance and Ethics Program at: 940.565.2156 or compliance@untsystem.edu
  3. Online at the Compliance Trust Line at: https://untsystem.onetrustethics.com/. (Reports can be made anonymously).
  4. Inform the Texas State Auditor’s Office if the suspected wrongdoing involves fraud, waste or abuse of public resources at https://sao.texas.gov/ or the agency’s fraud hotline at SAO Fraud Hotline at 1-800-TX-AUDIT (1-800-892-8348).

What if I am afraid to hold someone else accountable by Speaking Up about suspected wrongdoing?

Reporting suspected wrongdoing is in the best interest of the UNT System and the people we serve. To encourage a culture of accountability and compliance, the System prohibits retaliation against individuals who report suspected wrongdoing and has implemented a program to protect against retaliation. Also, the Texas Whistleblower Act protects employees who report unlawful activity in good faith from retaliation.

 

Difference Between Compliance and Internal Audit

What is Compliance?

"Compliance” - sometimes referred to as organizational or institutional compliance - is a framework for facilitating adherence to federal and state laws and policies that govern the organization, and for promoting ethical and lawful decision-making and conduct on the part of the organization’s employees. The Compliance & Ethics Program operationalizes this framework with a focus on establishing an organizational culture that is committed to ethical and lawful decision-making and on preventing and detecting violations of the law and policy (i.e. “compliance risks”). It also assists management officials continuously identify compliance risks and provides advice on controls to mitigate these risks.

What is Internal Audit?

According to the Institute of Internal Auditors, internal audit is “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes…[and] provides assurance that internal controls in place are adequate to mitigate the risks, governance processes are effective and efficient, and organizational goals and objectives are met.” See Institute of Internal Auditors. “What is Internal Audit?” https://www.theiia.org/en/about-us/about-internal-audit/.

What is the difference between Compliance and Internal Audit?

The “Three Lines of Defense” model for risk governance depicts the difference between management, Compliance and Internal Audit this way:

  • First line: Management has the primary responsibility to own and manage risks associated with day-to-day operational activities. Other accountabilities assumed by the first line include design, operation, and implementation of controls.
  • Second line: The second-line function enables the identification of emerging risks in daily operation of the business. It does this by providing compliance and oversight in the form of frameworks, policies, tools, and techniques to support risk and compliance management.
  • Third line: The third-line function provides objective and independent assurance. While the third line’s key responsibility is to assess whether the first- and second-line functions are operating effectively, it is charged with the duty of reporting to the board and audit committee, in addition to providing assurance to regulators and external auditors that the control culture across the organization is effective in its design and operation. See Deloitte. “Modernizing the three lines of defense model – an internal audit perspective.” https://www2.deloitte.com/us/en/pages/advisory/articles/modernizing-the-three-lines-of-defense-model.html.

What is a “compliance risk”?

UNT System Regulation 02.100 defines a “compliance risk” is an action or inaction that exposes an organization to legal or regulatory sanctions. These sanctions can be in the form of fines or penalties, or in some cases criminal prosecution. UNT System Administration employee and individuals authorized to act on behalf of the System Enterprise can expose the organization to sanctions.

Are compliance risks the same as other risks?

Generally, a compliance risk exposes the System Enterprise to criminal liability or civil or administrative sanctions due to a violation of law or policy, including an ethics violation.  On other risk, such as environmental, financial, governance, operational, people, reputational/brand, social and safety, strategic, and technological, expose the System to other types of potential harm.

What can I do to contribute to a culture of ethical and lawful conduct?

  • Read the UNT System Administration Ethics and Standards of Conduct policy and model exceptional ethical behavior
  • Read the Reporting Suspected Wrongdoing policy and demonstrate courageous integrity by speaking up when your training and experience leads you to believe wrongdoing has occurred.
  • Stay current on your ethics and compliance-related training (e.g. conflict of interest, dual employment and outside activities, nondiscrimination, prohibition against sexual assault/ harassment, information security, and privacy).

How can I learn more about the UNT System Administration Compliance and Ethics Program?

Be curious and explore the Compliance and Ethics Program webpage often. You will find information about compliance in general, compliance news you can use in your daily professional activities, and more.

 

Compliance Review of Regulations and Policies

What is a Policy?

A policy is a governing principle that communicates and supports the organization’s values, standards and expectations; guides the behaviors, decisions and actions of employees and other individuals in their interactions with the UNT System and it’s component institutions; ensures compliance with applicable laws, UNT System Regents Rules, System Regulations and component institution policies; promotes the efficient and effective use of UNT System resources; and manages organizational risks. For a policy to be enforceable, it must be approved in accordance with UNT System Regents Rules 02.200.

Is there a difference between a policy and procedure?

Yes.  A policy sets out the principles that guides the organization and must be approved by the chief executive officer of the UNT System or the particular component institution, and reviewed by the UNT System Office of General Counsel for legal sufficiency. Once approved for legal sufficiency and approved by the chief executive officer, policies are published in each organization’s policy manual, found at: https://www.untsystem.edu/about-us/policies/. A procedure is the process that outlines how a policy will be implemented and can be approved by the official responsible for administering the function or operation addressed in the policy. Procedures may be included in documents such as guidelines and handbooks.

Why does the Compliance & Ethics Program review policies?

Effective policies are essential to an effective compliance program. An organization’s policies – “from appropriate assignment of responsibility, to training programs, to lines of reporting and communication, to systems of incentives and discipline” – should contribute to the integration of compliance into its “operations and workforce.”  U.S. Department of Justice Criminal Division “Evaluation of Corporate Compliance Programs” (Updated September 2024). The compliance review assists management officials, as the policy owners, fulfill their responsibilities to ensure policies address risks that could expose the organization and its employees to criminal, civil and regulatory sanctions. DOJ Evaluation of Corp Compliance Program Guidance - Sept. 2024

What does the Compliance & Ethics Program look for when reviewing policies?

Generally, the compliance policy review consists of:

  • assessing whether a policy addresses a function or activity that could result in criminal, civil, or regulatory sanctions;
  • assessing whether a policy aligns with applicable laws and policies (in consultation with the Office of General Counsel which is solely responsible for determining whether policies comply with applicable laws, Regents Rules, System Regulations and component institution policies);
  • recommending measures that can be included in policies to prevent and detect possible violations of laws and policies;
  • evaluating the adequacy of proposed measures in managing compliance risks;
  • evaluating the impact, likelihood and velocity of compliance risk(s) addressed in the policy; and
  • identifying areas where policies can facilitate ethical and value-based decision-making and conduct.

The full scope of the compliance review is in the UNT System Administration “Compliance & Ethics Program Regulation and Policy Review Guide.”