Compliance
Institutional Compliance
Promoting and supporting a working environment reflecting the university’s commitment to
compliance with all legal and regulatory requirements.
"Virginia Tech is committed to integrity, a culture of compliance, and the promotion of the highest ethical standards for all employees."
President Tim Sands
The Office of Audit, Risk, and Compliance (OARC) coordinates the Institutional Compliance Program (ICP). The ICP helps the university community proactively meet its compliance obligations and manage compliance risks.
Purpose and Goals
OARC is a resource and catalyst for the achievement of university best practices in compliance-related subject matter areas. While OARC does not own any discrete compliance subject matter area, it assists in promoting a culture of compliance and ethical behavior.
- Maintaining a matrix of applicable regulations and authoritative guidance
- Providing guidance and resources to the university’s network of compliance risk owners
- Implementing the compliance risk assessment process as a component of the ERM Program
- Facilitating the university’s compliance and ethics hotline
- Supporting the compliance committees in their various duties
- Assisting in response to external reviews and investigations
Program Structure
While compliance is the responsibility of every member of the Virginia Tech community, the success of Virginia Tech’s ICP relies on leadership’s embrace of a culture of compliance in alignment with our strategic goals. To promote that connection, OARC facilitates the ICP in coordination with the Compliance, Audit, and Risk Committee of the university’s Board of Visitors and representatives drawn from the university’s senior leadership (Executive Compliance Committee) and key constituencies across campus (Compliance Advisory Committee).
The program’s most critical work is performed through day-today oversight and operations by the Distributed University-Wide Compliance Owners.
- Identification, assessment, management, and monitoring of regulatory changes
- Integration of adequate controls into daily activities, including policies, training, and monitoring
- Performance of periodic compliance risk assessments, including clear articulation of risk statements
- Assignment of internal stakeholders with responsibility for each of the sub-risks identified within compliance areas
- Remediation of gaps in mitigation and monitoring activities through corrective action
- Communication of the status of mitigation and monitoring efforts to the Compliance Advisory Committee
- Scanning of internal and external environments for emerging risks and opportunities.