Compliance Assessment Process
Institute Compliance Process
Compliance Assessment & Testing
ASIC has created Campus and JPL compliance matrices by evaluating compliance risk areas specific to the Institute. These matrices are used to identify the cognizant policy office/key points of contact responsible for ensuring compliance with pertinent external laws, regulations, and contractual obligations.
The compliance matrices led to the development of our ICP risk-ranked five year plan. ASIC updates the matrices periodically (at least annually).
Risk Ranked 5-Year Plan
A major component of the ICP is the risk-ranked five year plan (Plan) and associated compliance assessments at Campus and JPL. The Plan captures the compliance universe and emphasizes compliance importance at both Campus and JPL. The maturity of the ICP is tied directly to the progression of our Plan and its systematic approach to evaluating required elements of specific compliance programs. At least once a year we revisit the risk rankings for each compliance area to determine whether we need to reprioritize our compliance assessment effort.
Compliance Assessment Template
ASIC partners with management responsible for key risk areas to complete a compliance assessment. ASIC's objective for each compliance assessment is to understand, assess, and document management's awareness of external requirements and to verify that management is monitoring risks, has documented policies and procedures, and has obtained or provided necessary training. When performing each compliance assessment, ASIC verifies that key management controls are implemented and operating as intended.
Compliance Assessment Key Areas
For each compliance area, we work with key personnel to complete the Compliance Assessment Template. The Compliance Assessment Template helps establish a baseline understanding of the compliance framework that is in place for each compliance area. The eleven areas covered within the Compliance Assessment Template include:
Identification of key process owners, compliance risks, and applicability. This area helps us identify and understand current processes and relationships, key compliance risks, and the personnel impacted by the compliance area.
Identification of key compliance applicability at Caltech. This area helps identify who is impacted by the regulations and compliance requirements. (e.g., Institute-wide, specific departments, function/job-specific, specific personnel, etc.)
Identification of key compliance risks. This area helps identify compliance risks that pose the greatest risk to the Institute if appropriate compliance controls are not in place.
Identification of key regulations and compliance requirements. This area helps us identify and understand the key regulations and compliance requirements affecting the compliance area.
Identification of key reporting requirements. This area helps us identify and understand key federal, state, and local reporting requirements and associated deadlines.
Identification of key periodic reviews by external agencies or organizations. This area helps us identify and understand the regulatory agencies and entities that may review the area and the frequency of their reviews.
Identification of internal policies and procedures incorporating key regulations and compliance requirements. This area helps us identify and understand the internal processes developed to ensure that key regulations and compliance requirements are met. As part of our testing we compare internal policies and procedures with key regulations and compliance requirements to ensure the information is current, roles and responsibilities are clearly defined, and key processes are described emphasizing compliance controls.
Identification of training for compliance with key regulations and compliance requirements. This area helps us identify and understand the types of job responsibilities and associated types of required training needed. As part of our testing, we review that training materials are current and are relevant to regulatory requirements. We also review a small sample of personnel to ensure completion of training and record of that training is on file.
Identification of monitoring activities to ensure compliance with key regulations and compliance requirements. This area further helps us identify and understand the monitoring processes developed to ensure that key regulations and compliance requirements are met. Monitoring processes may include activities such as on-site inspections, visual observation, management and supervisory review of data, etc. As part of our testing, we assess that these processes are implemented as described by management, including physical site visits and interviews with personnel responsible for compliance.
Identification of key metrics used to evaluate adherence to key regulations and compliance requirements. This area helps us identify and understand how management utilizes compliance metrics and whether they are used to enhance compliance controls.
During the compliance assessment and testing process, we may identify gaps, or areas that can be enhanced or strengthened to ensure compliance with key regulations and compliance requirements. All gaps require management to provide us with reasonable corrective action dates. We track all gaps to completion and follow-up with management at the designated due dates to determine whether the corrective actions are closed.