UVM Receives USDA Grant to Spearhead New Farm-to-Consumer Model

The Office of Audit and Compliance Services comprises two independent and objective functions supporting the visions, goals and aims of the University of Vermont through working in partnership with University and Academic leadership to address risks, assess internal controls, and improve the University's governance.

Both groups advise University departments on improving compliance with policy guidelines, legal requirements, and high ethical standards.

Audit Charter

Office of Audit Services Mission (Purpose)

The Office of Audit Services is an independent and objective assurance and consulting activity within the University of Vermont (UVM) that provides the Board of Trustees and management with observations, recommendations and advice designed to add value and improve the effectiveness of the University's risk management, control, and governance processes.

Internal Audit Function

The chief internal auditor is specifically authorized and directed to:

  • Provide a program of financial, operational, information systems, compliance, and investigative audits (i.e., stemming from fraud or dishonest conduct);
  • Have unlimited and unrestricted access to all UVM entities, subsidiaries and related organizations and any associated data, files, records, property, and personnel;
  • Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish the audit objectives;
  • Obtain the necessary assistance of personnel in units of UVM where they perform audits, as well as other specialized services from within or outside UVM;
  • Coordinate all audit activity at UVM to assure an efficient audit coverage that remains responsive to the University's needs.

The chief internal auditor is not authorized to:

  • Perform any operational duties for
  • Initiate or approve any accounting transactions external to internal audit;
  • Direct activities of any UVM employee not employed by internal audit, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the chief internal auditor.

Internal Audit Operations

The chief internal auditor is responsible for:

  • Maintaining a professional audit staff with sufficient knowledge, skills, and experience, and professional certifications to meet the requirements of this charter;
  • Developing an annual risk-based audit plan that incorporates collaboration and consultation with the Board of Trustees, UVM's independent auditors, and management;
  • Proposing an annual audit budget that is adequate to perform the scope of his or her responsibilities and to accomplish the annual risk-based audit plan.

Audit Committee Function

The chief internal auditor reports to and is supervised by the Audit Committee of the Board of Trustees. The Audit Committee has full authority and oversight of the internal audit function including appointment decisions, performance evaluations, salary setting and employment termination of the chief internal auditor. The Audit Committee has delegated to the President administrative oversight regarding certain specific operational activities of the internal audit function.


The Office communicates to management or operating personnel in the form of written reports, consultation, or advice. Written reports include observations, recommendations for improvement, and management's action plans to manage identified risks and to ensure that objectives are achieved. The Office also monitors, evaluates, and verifies (if appropriate) management's responses to audit observations and recommendations. Audit Services reports regularly on the status and results of the annual audit plan and sufficiency of office resources to the Audit Committee.

Professional Standards and Ethics

The chief internal auditor and staff will meet or exceed the International Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors.

Compliance Program Document


To work proactively and collaboratively with members of the University community to promote an institutional culture of compliance and thus prevent and effectively address violations of law, regulation, and University policy and protocols.

Goals and Means

To establish and implement a Compliance Program that monitors, communicates and educates the University community about existing and emerging compliance requirements; raises awareness of the importance of ethics and compliance; coordinates institutional compliance activities; assesses and provides consultation on compliance training initiatives; develops compliance workplans; assesses and reports periodically to senior leadership and the Audit Committee of the Board of Trustees on progress toward compliance goals; and assists in the development of remediation plans as needed.

Roles and Structure

I. The Board of Trustees Audit Committee

A. Role relative to the Compliance Program

  • Oversees the quality and effectiveness of the Compliance Program.
  • Keeps informed about Compliance Program status and effectiveness through regular reports from executive and operational officials, the Chief Internal Auditor (CIA), and the Director of Compliance Services (DCS).
  • Assesses management's response to compliance recommendations.

B. Structure

  • The DCS reports to the CIA.

II. The President

 A. Role relative to the Compliance Program

  • Serves as a champion of the Compliance Program, working visibly to establish a culture of compliance and ethics throughout the institution.
  • Supports the Compliance Program by directing the provision of a reasonable level of funding, staffing and space for the Office of Compliance Services.
  • Annually reviews the compliance risk assessment and work plan; meets regularly with the CIA, and DCS to discuss compliance issues facing the University.

 B. Structure

  • The CIA reports to the Audit Committee with a dotted line to the President.

III. The President's Senior Leadership (Vice Presidents)

 A. Role relative to the Compliance Program

  • Provides leadership and support in operationalizing compliance initiatives within their areas of jurisdiction; assigns responsibility; ensures accountability.
  • Keeps informed about Compliance Program status and effectiveness through periodic reports from operational officials, the CIA, and DCS.
  • Brings compliance concerns to the attention of the DCS.
  •  Advises the DCS regarding the proposed institutional annual compliance work plan and the need for revisions thereto during the course of the year.

 B. Structure

  • The President's Senior Leadership is advisory to the President.

IV. The Director of Compliance Services

 A. Role relative to the Compliance Program

  • Serves as the institutional officer responsible for the effective implementation of the Compliance Program and directs the Office of Compliance Services.
  • Works collaboratively with other services offices including the Chief Internal Auditor, General Counsel, Chief Risk Officer, Information Security Officer, Chief Information Officer, and Director of Risk Management.
  • Institutes and maintains an effective compliance communication program for the University, including promoting (a) use of the Ethics and Compliance Reporting and Help Line; (b) heightened awareness of the Code of Business Conduct, (c) understanding of new and existing compliance issues and related policies and procedures, and (d) responding to general compliance queries and/or facilitating communications with and between responsible officials.
  • Performs an annual compliance risk assessment to prioritize risks; develops, in consultation with senior management, a compliance work plan.
  • Provides reports on a periodic basis, and as directed or requested, to keep the Board Audit Committee, the President, and senior management informed of the operation and progress of Compliance Program efforts.
  • Administers the Ethics and Compliance Reporting and Help Line, working in collaboration with OGC, the CIA, and the VP for Executive Operations.
  • Coordinates compliance activities within the institution, including the institutional response to new compliance requirements or government reviews.
  • Assists responsible officials in identifying compliance gaps; developing unit compliance work plans; and monitoring and assessing progress toward institutional and unit compliance work plan goals.
  • Liaises with VP for Executive Operations to initiate, develop, maintain, and revise policies and procedures for the University including compliance policies and procedures.
  • Works proactively to assist responsible officials in identifying and assessing compliance with respect to privacy laws and regulations; promotes strategies to mitigate non-compliance, including assistance in developing policies and procedures for the collection, use and sharing of personal information.
  • Works collaboratively with Human Resource Services and other departments as appropriate to assist in developing effective compliance training programs.
  • Convenes Compliance Work Groups, as needed.

 B. Structure

  • The DCS reports to the Vice President for Operations and Public Safety

V. Audit Services

 A. Role relative to the Compliance Program

  • Based on annual risk assessment, conducts periodic compliance audits.
  • Monitors and reports to the President and the Board of Trustees Audit Committee on the status of management's response to audit observations.
  • Investigates reports of non-compliance except insofar as the responsibility for investigations is otherwise assigned by University policy.

B. Structure

  • The CIA reports to the Audit Committee with a dotted line to the President.

VI. The Office of the General Counsel

A. Role relative to the Compliance Program

  • Monitors, and advises responsible officials regarding, laws and policies, as well as legal developments, relevant to University programs, operations and activities.
  • Counsels officials on the legal implications of policy and other administrative decisions.
  • Assists responsible officials in identifying best practices with regard to legal requirements and policy development.
  • Drafts, reviews, and/or makes recommendations to officials regarding institutional transactions, contracts and policies.
  • Represents and/or oversees legal representation of UVM in the negotiation and/or resolution of significant commercial transactions, litigation, and agency proceedings.

VII. Compliance Work Groups

A. Role relative to the Compliance Program

  • Meet as needed to discuss the status of compliance initiatives, emerging issues, training opportunities, and best practices regarding a specific area of compliance.
  • Identifies "gaps" in collaboration with the DCS for further action by responsible officials; assesses progress toward specified goals.

B. Structure

  • Work group members are advisory to the DCS and one another and report to their supervisors through normal channels.

VIII. Division of Responsibilities: Executives, Oversight Officials, Operations Managers, Faculty, Staff, and Students

The key principle of the Compliance Program is that compliance is the responsibility of all members of the UVM community. Apart from the general duty we all have as community members to abide by the law and University policies, compliance is designed to protect the safety and well-being of individuals and the campus at large; enhance (and avoid damage to) the reputation of the University; offer professional, educational and personal opportunities for expansion of the individual and collective knowledge base; and direct financial and human resources principally toward proactive, and not punitive, measures.

University community members also have specific responsibilities associated with their role at UVM. In addition to the descriptions above, those responsibilities may be categorized as follows:

Executive: the single senior official responsible, and accountable to the President, for management of specific risks, who has the authority to allocate resources and take corrective action. Executives are Vice Presidents or equivalent. Each executive is charged by the President with coordinating compliance activities within the units reporting to him/her and for bringing any compliance concerns to the attention of the DCS. Delegation of functional responsibility does not relieve an executive of his/her obligation to ensure compliance.

Oversight: the official to whom the responsible "executive" delegates authority to manage the risks and responsibility for monitoring, investigating, reporting, training, and instituting other internal controls. Each oversight official shall take reasonable steps to ensure that all faculty and staff in the unit are familiar with any applicable laws, regulations, policies or rules are in compliance therewith. It is also the responsibility of the oversight official to ensure that other individuals (e.g., affiliates; contractors) conducting business with UVM are in compliance with governing legal, regulatory or policy parameters. It is also the responsibility of the oversight official to address and, as required, report non-compliance incidents when discovered. At least annually, the DCS will request from the oversight officials compliance information that will be used to compile a campus-wide compliance report and work plan for the upcoming year.

Operational: the individual handling daily operations for managing the risk and otherwise actively addressing compliance responsibilities.

Individual: the obligation of all administrators, faculty, staff and students to be knowledgeable about, and compliant with, the conduct standards and programmatic or operational requirements applicable to their University-related professional, work, and educational or recreational endeavors.

A secondary principle of the Compliance Program is that the Program is most likely to be effective if its orientation is proactive and it incentivizes favorable outcomes.

The third principle is one of accountability - imperative to the success of the Program is outcome assessment and follow-up to verify that appropriate corrective, restorative and/or disciplinary action is taken in the event of shortfalls or violations.

Compliance Universe Matrix

To facilitate due diligence in all areas of University operations affected by compliance obligations, the Office of Compliance Services will maintain a top-level compliance matrix identifying the responsible official for each general area of compliance. This top-level matrix will be posted on the Office website.

Compliance Help Line

The EthicsPoint reporting mechanism shall be administered by the Office of Compliance Services in collaboration with OGC, the CIA, and the VP for Executive Operations. A written protocol shall be maintained by the DCS detailing the associated administrative responsibilities and procedures.

University Institutional Website

The Office of Compliance Services shall maintain the University Institutional Policies Website, inclusive of University Operating Procedures, and the policy review schedule. The Office is responsible for the archiving of policies.


Quality, relevant training for administrators, faculty and staff is essential to the success of a compliance program. The DCS will assist and advise with identifying priority areas for training and advise regarding high-quality, effective communication and awareness programs.

November 4, 2013 • Revised Compliance Program description accepted by the Audit Committee
August 21, 2014 • Administrative revisons

How Audit Services and Compliance Services Interact