Colleges and universities, like every other type of organization, fall victim to wrongdoing. But unlike many other institutions, boards of trustees often fail to maintain mechanisms that can catch illegal activity before it is too late.
Over the past decade, governmental enforcement activity has uncovered systemic compliance failures at colleges and universities across the country. This enforcement activity’s breadth is staggering, and the many examples speak for themselves.
High-profile instances of systematic wrongdoing have occurred at Penn State and Michigan State. The Department of Veterans Affairs took sweeping action last year against Bellevue University, University of Phoenix, Career Education Corporation Colleges and Temple University in response to the institutions’ illegal recruitment practices targeting members of the armed forces. These are just a few examples.
Today, the Department of Veterans Affairs (VA) announced their decision to end new enrollments for GI Bill beneficiaries at the University of Phoenix, Colorado Technical University, American InterContinental University, Bellevue University, and Temple University. (1/4)
— Student Veterans of America (@studentvets) March 9, 2020
The Far-Reaching Consequences of Compliance Failures at Colleges and Universities
Compliance failures have lingering financial consequences that go beyond publicly reported administrative penalties or lawsuits. Compliance deficiencies increase an institution’s enterprise risk profile, which inevitably drives up its operating expenses through increased insurance premiums due to legal and regulatory liability. The Chronicle of Higher Education recently reported that insurance premiums colleges and universities have risen, on average, between 10 and 35 percent in recent years. This expense is directly linked to increased risk profiles at colleges and universities.
Inadequate compliance and weak ethical governance also lead to consequences that go beyond just financial losses – students have suffered, institutions have closed and hard-earned reputations have been tarnished. Moreover, precious institutional resources have been squandered responding to expensive legal and regulatory actions that could have been prevented if sufficient internal controls and compliance oversight had been in place.
Learning from the Mistakes of Others
Boards of trustees serving colleges and universities, in turn, have grappled with how to respond to such wrongdoing. In many cases, they learn about ethical, legal and compliance lapses well after they occur. But the underlying question remains: what can boards learn from other institutions’ prior compliance missteps? How can previous derelictions of duty inform oversight and governance?
The answer lies in understanding how inadequate governance fosters programmatic compliance weaknesses. These lessons, combined with the instructive guidance from the U.S. Department of Justice, can provide boards a roadmap to assess whether an institution does, indeed, have an effective compliance program that holds leaders accountable for compliance mandates.
As fiduciaries, boards of trustees serving colleges and universities need education, transparency and communication to understand and address critical institutional compliance concerns. Without clear communication, boards have no meaningful way to hold an institution’s leadership accountable for compliance failures. In such a vacuum of accountability, wrongdoers can act with impunity.
2 Recent Cases of Wrongdoing: the San Mateo Community College District and the College of New Rochelle
A recent example highlights just how costly noncompliance can be. Widespread misappropriation of funds by the San Mateo Community College Chancellor Emeritus Ron Galatolo recently came to light. It led to a legal and ethical crisis.
This is a crazy story– He was paid circa $800K for nothing for the past two years– before that …
— Polly Mayer (@ClinicPolly) February 9, 2021
A governmental investigation revealed Galatolo had put public funds toward his own retirement, had failed to disclose his personal relationships with vendors that were awarded contracts by the community college district and had failed to disclose numerous gifts – including concert tickets, luxury travel and meals – that were given to him over the years.
This malfeasance occurred without the board’s knowledge. In a pointed statement, the college’s board said that “[i]n the course of the district’s cooperation with that investigation, various matters have come to light that do not appear to have been presented to the board.”
Across the country, in New York, a similar story unfolded. Two former KPMG auditors agreed to be suspended from practicing before the U.S. Securities and Exchange Commission after the financial regulator charged them with improper professional conduct during an audit of the now-defunct College of New Rochelle.
According to an SEC news release, the two auditors were involved in the approval of an unmodified audit opinion for the now-shuttered College of New Rochelle’s 2015 fiscal year financial statements, even though essential audit steps had not been completed. KPMG encountered difficulty finishing the audit after the College of New Rochelle’s controller provided inaccurate, incomplete and contradictory information to the auditors. Despite this, the auditors nonetheless decided to issue a report after the college’s president and controller told them on November 30, 2015 that the audit report was needed by the end of the business day. The resulting financial statements overstated the College of New Rochelle’s net assets by $33.8 million.
Akin to its West Coast counterpart, the board serving the College of New Rochelle claimed no knowledge of any wrongdoing or misconduct by the college’s president, senior financial officers or external auditors. Tellingly, neither schools employed a chief compliance officer, and neither school had a governance structure that provided any mechanism for bringing serious compliance concerns directly to the board. Instead, both boards learned of these mission-critical compliance concerns after the fact through public reporting and inquiries from governmental enforcement agencies.
Ignoring Compliance Does Not Pay
There is a unifying theme for both schools’ misfortunes: Neither had an effective compliance program that could have brought the underlying wrongdoing to their board’s attention at its outset. Instead, both institutions had senior leaders who engaged in misconduct and avoided oversight by merely keeping the board – the entity responsible for holding senior leadership accountable – in the dark. These governance failures occurred because both boards learned of the wrongdoing well after the initiation of serious governmental investigations. It is impossible to have meaningful governance and institutional accountability in the absence of accurate disclosures of material allegations of wrongdoing that pose serious enterprise risk.
That is the reason each of the above examples is an unacceptable outcome from a board governance standpoint. A board serving a college or university should expect the institution will implement and maintain an effective compliance program. A board should also expect to be routinely briefed on mission-critical compliance concerns as a matter of course. In the absence of these, the board itself should put an oversight program in place. These expectations are crucial to a board’s ability to engage in meaningful oversight and governance.
Actionable Guidance Is Available from the Department of Justice
There is government guidance on what constitutes an effective compliance program. For example, the Criminal Division of the U.S. Department of Justice (DOJ) June 2020 guidance on the Evaluation of Corporate Compliance Programs identified the requisite building blocks of an effective compliance function.
This guidance emphasizes that an organization’s compliance program should address and remediate compliance issues across an enterprise on an ongoing, continual and timely basis. It further counsels organizations to devote adequate resources to this effort. It should include an efficient and trusted mechanism that allows employees to anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, suspected or actual misconduct and/or illegal activity.
Importantly, the DOJ’s recommendations stress that compliance professionals be empowered to bring critical compliance concerns to an organization’s most senior level, including directly to an organization’s board. When the DOJ evaluates an institution’s compliance program, it explicitly asks whether a “compliance officer reports to the board of directors, audit committee or other independent body.” The DOJ also assesses whether compliance programs are “adequately resourced and empowered to function effectively.” Having compliance staff in name only fails to meet this critical standard.
Boards serving colleges and universities should embrace the DOJ guidance and re-examine the role of compliance from a holistic perspective. An effective compliance program should have leadership, typically in the form of a chief compliance officer empowered to lead compliance. This leadership should be data-driven, informed by regular risk assessments and respond to lessons learned from identified misconduct.
From a governance and accountability reporting standpoint, chief compliance officers should directly and independently report mission-critical compliance concerns to the board, particularly where compliance issues are inextricably linked to behavior by senior leadership. Embracing the DOJ guidance ensures that boards at colleges and universities are sufficiently apprised of critical compliance concerns before they pose an enterprise risk.
This practice further aligns with changes in the U.S. Sentencing Guidelines. Those guidelines explicitly assess whether an entity’s compliance organization has sufficient resources. They make it clear that an organization’s chief compliance officer should report directly to its board if that organization hopes to gain the most cooperation credit – a mitigation factor in the severity of potential penalties – during a federal investigation or prosecution.
Beyond these guidelines and guidance, boards at colleges and universities can and, in some cases, should, consider engaging outside advisers to assist in responding to critical enterprise compliance concerns brought to their attention.
As the examples have shown, boards can no longer passively monitor compliance and ethical concerns that exist within a college or university. The risk of shirking compliance obligations is not theoretical. The DOJ has collected hundreds of millions in financial settlements from colleges and universities due to a wide range of noncompliant behavior. If illegal or noncompliant activity is brought to a board’s attention explicitly, investigators will not excuse an institution’s board from disavowing knowledge of illicit, illegal, noncompliant activity. Conversely, being uninformed is no excuse for a board’s inaction. As fiduciaries, boards are expected to engage and hold leadership accountable for compliance failures. Considering this, it is critical that the board proactively and routinely review the institution’s compliance policies, procedures and program to ensure that the school’s compliance program comports with best practices embraced by regulatory enforcement agencies.