Monitoring Compliance with Policy
Frequently Asked Questions
Responsible officers are required to ensure that monitoring compliance with policies occurs, per Administrative Policy: Establishing Administrative Policies. This monitoring allows the responsible officers or their designate, often the policy owner, an opportunity to address low compliance rates by means appropriate for the risk.
- What is monitoring?
Monitoring, as it relates to administrative policies, is the process of checking compliance with policy requirements. There is no requirement to monitor those elements of the policy that are “strongly encouraged” or otherwise expressed as optional.
- If I’m a policy owner, do I need to monitor everything covered by my administrative policy?
Policy owners must take all reasonable steps to monitor compliance with the required elements of a policy. In some circumstances directly monitoring compliance with a policy element may not be reasonable, but there may be indirect indicators of compliance with the policy that can be monitored. In rare cases there may be policy requirements for which no reasonable efforts to monitor compliance are available.
- I’ve never monitored my policy before. What are acceptable approaches to monitoring policy requirements?
There are a number of ways to monitor how compliant is your audience. The most common approaches include:
- creating and reviewing exception reports to capture activity outliers;
- reviewing a sampling of transactions that have occurred to see if they were in alignment with the policy requirements;
- approving all or some of the transactions prior to processing; or
- conducting an onsite review.
You may want to start with reviewing the requirements that are externally imposed (e.g., laws, regulations) and see how you might monitor those first. Then move on to those requirements that are imposed by the University.
- I don’t have unlimited resources to conduct the monitoring. Do you have centralized funding that I can access to hire an employee to do this work?
We do not have central funds available for monitoring activities.In most situations, policy owners should be able to establish a monitoring plan that uses current resources and does not diminish current unit performance. For example, a unit may opt to use a sample size involving transactions that can be executed by current staff.
However, if the risk of a particular activity warrants additional resources or different prioritization of work being conducted by your unit that should lead to discussions with unit leadership.
- How do I document my monitoring efforts?
There is no required form for documenting monitoring, however, creating an Excel spreadsheet might be a good option. You will need to provide the compliance rate on the comprehensive review form the next time your policy is up for review.
- Do I need to report the results to anyone?
Results of monitoring should be communicated to someone in your leadership structure, at least annually. If there are significant findings through your monitoring activities, we strongly encourage you to notify your manager and senior leader.
- If I find areas where the compliance rate is low, what should my next steps be?
The action taken depends largely on the types of failures. Monitoring results should be shared with the appropriate management in the area being monitored and a process improvement plan developed. In some cases it may be discovered that a policy requirement needs to be rewritten to improve clarity. For serious non-compliance in a high risk area a training strategy may need to be deployed.
- Is there someone with whom I might speak to discuss my specific policies and an appropriate monitoring plan?
Yes. You may contact the Office of Institutional Compliance or work with your designated senior leader to find a structure that meets this requirement.