University of Minnesota  Appendix

Monitoring Compliance with Policies


Expand all


Table of Contents

TOC placeholder


Please use the contact section in the governing policy.

Responsible officers are required to ensure that monitoring compliance with policies occurs, per Administrative Policy: Establishing Administrative Policies. Monitoring is the process of checking compliance with policy requirements. Information gathered through monitoring provides responsible officers or their designees, often the policy owner, an opportunity to identify compliance challenges with current policies and address low compliance rates.

Approaches to Monitoring

There are a number of ways to actively monitor compliance with the policy. The most common approaches include:

  1. creating and reviewing exception reports to capture activity outliers;
  2. reviewing a sampling of transactions that have occurred to see if they were in alignment with the policy requirements;
  3. approving all or some of the transactions prior to processing; or
  4. conducting an onsite review.

You may want to start with reviewing the requirements that are externally imposed (e.g., laws, regulations) and see how you might monitor those first. Then move on to those requirements that are imposed by the University, especially those which carry the greatest risk.

Active vs. Passive Monitoring

In active monitoring, a policy owner establishes a regular plan to review key elements of the policy, determines the frequency of the monitoring, as well as the method.

Passive monitoring typically involves taking action when a triggering event, such as a reported incident, occurs. Noncompliance could be a single isolated event or owners may, in the course of investigating the noncompliance, determine that there’s likelihood that there is a pattern to also be investigated. Passive monitoring is more appropriate for policies where the risk and impact of noncompliance is low and where it’s more difficult to actively monitor compliance. 

For higher risk policies, policy owners must use an active approach to monitoring required elements of a policy. In some circumstances, directly monitoring compliance with a policy element may not be reasonable, and a more passive monitoring approach may be appropriate.

Policy owners can use the following questions to determine whether the likelihood of noncompliance and the impact of that noncompliance would indicate that a more active approach to monitoring the policy is warranted. Policy owners are encouraged to objectively respond to each of the questions so that the best approach to monitoring is selected. The approach selected will be reviewed by the Director of the University Policy Program and the Policy Advisory Committee (PAC).

  • Is there a high probability of noncompliance with policy requirements?
  • Is the subject matter covered in the policy governed by a state or federal law, rule or regulation?
  • Is the subject matter covered in the policy regulated by one or more external entities, such as a research funding agency?
  • Will a failure (noncompliance) likely:
    • have a direct impact on someone’s health or physical safety?
    • have a significant negative impact on the University’s reputation?
    • provide an opportunity for fraud or other exploitation if active monitoring doesn’t occur?
    • have a significant financial impact?
    • impact a group of individuals vs. one person?

Documenting Monitoring

There is no required form for documenting monitoring; however, creating a spreadsheet might be a good option. Note that you will need to provide the compliance rate on the comprehensive review form the next time your policy is up for review. 

Results of monitoring should be communicated to someone in your leadership structure, at least annually. If there are significant findings through your monitoring activities, we strongly encourage you to notify your manager and senior leader. In some cases, it may be discovered that a policy requirement needs to be revised to improve clarity. For serious non-compliance in a high risk area, a training strategy may need to be deployed or other action, such as the supervisor starting the disciplinary process.