UK Internal Audit (UKIA) systematically evaluates UK regulations, policies and procedures at all levels of the enterprise through a hierarchical lens (see diagram above). This ensures that each not only aligns with other related internal policies but also complies with all federal regulations, state statutes and industry standards to which the institution — and its divisions — must adhere.
Accordingly, UK’s policies at every level may be more — but not less — restrictive than those that rank above them in this hierarchy. For example, UK HealthCare may develop Information Technology policies and procedures for its needs in health care that are more restrictive than ITS’ University-wide policies and the University’s Human Resources policies and procedures may be more restrictive than UK’s Administrative Regulations.
However, no unit may implement policies or procedures that are less restrictive or have lower standards of compliance than those that rank above it. Where a division/department/unit may have difficulty fulfilling the procedures to the letter due to size or other resource limitations, compensating controls should be developed in collaboration with the process owner such that the amended procedure is equally or more restrictive than the relevant higher-ranking policy. This ensures the overall risk that the policy or procedures are designed to maintain or minimize is not jeopardized.
Additionally, UKIA gauges UK enterprise policies and divisional/departmental/unit procedures through a "risk-based" lens to ensure they provide clear guidance that facilitates efficient and effective operations while maintaining proper internal controls that adequately protect the University.
UK Policy Reviews
UKIA's thorough knowledge of UK's internal regulations and policies and how they interplay, as well as the relevant federal regulations, state statutes and industry standards, enables us to provide a global perspective to assist divisions/departments/units with policy reviews and updates. If your unit would like UKIA’s assistance reviewing your policies for congruence and compliance, please contact us by email at internalaudit@uky.edu or by phone at 859-257-3126.
Frequently Asked Questions
Submit any questions you may have to internalaudit@uky.edu. UKIA will answer your question(s) directly. If it pertains to the wider-UK population, we will add the questions and corresponding answers here.
Q: UKIA receives a number of questions from employees in divisions which have industry requirements that are more stringent than UK’s and, as a result, have to maintain records in far greater detail than UK needs – or even wants. They want to know to which they should comply.
A: The answer is to comply with the one that is more restrictive/prescriptive. If UK requires eight data points and your unit’s policy requires your database to include those eight but has 10 others in addition due to industry requirements or federal regulations, then your unit is in compliance with UK’s policy as what is being provided is more, not less than UK’s requirement.
Q: UK’s (policy x) does not specifically mention specific federal regulations or industry requirements. Is my unit still expected to follow the federal regulation or state statute?
A: UK’s regulations and enterprise level policies and procedures are developed in collaboration with General Counsel to help ensure that they align with the federal regulations and state statutes as well as many high-level, high-profile industry requirements, such as SACS-COC and NCAA. While they may not reference specific laws or industry requirements, it is expected that all University operations comply with all federal and state laws. Should you come across an activity that does not appear to be in compliance, please reach out to UK Internal Audit for guidance.