Skip to main
University-wide Navigation

Hierarchy of Regulations and Policies

Regulations and Policies

  • Federal regulations
    • The federal laws with which the University must comply. Examples include (not an exhaustive list):
      • Health Insurance Portability and Accountability Act (HIPAA)
      • Family Educational Rights and Privacy Act (FERPA)
      • Family Medical Leave Act (FMLA)
      • Federal Funding Accountability and Transparency Act (FFATA)
  • State statutes
    • The state laws to which the University must adhere. Examples include (not an exhaustive list):
      • Kentucky Model Procurement Code – Kentucky Revised Statute (KRS) Chapter 45a
      • The State University Model Records Retention Schedule – Kentucky Administrative Regulation 725 KAR 1:061
      • The Kentucky Open Meetings Act and Open Records Act – KRS 61.800 to 61.850 and KRS 61.870 to 61.884, respectively.
      • Kentucky Wage and Hour Laws, KRS Chapter 207, 337, 339 and Title 803 KAR.
  • Industry requirements
    • The standards industry associations or commissions require the University to uphold or risk fines, loss of accreditation or other penalties. Examples include (not an exhaustive list):
      • Academics: The Southern Association of Colleges and Schools Commission on Colleges (SACS-COC)
      • Health Care: The Joint Commission (TJC)
      • Athletics: National College Athletics Association (NCAA)
      • Information Technology: Payment Card Industry Data Security Standard (PCI-DSS)
      • Business: International Organization for Standardization (ISO) and Governmental Accounting Standards Board (GASB)
  • Governing Regulations
  • Administrative Regulations
    • Policies adopted by the president to implement the Governing Regulations and provide for the general administration and oversight of the university. 
  • Enterprise policies and procedures
  • Divisional/departmental/unit procedures
    • Unit-specific instructions.
      • UK HealthCare (UKHC)
      • Pharmacy Services
      • Athletics 
      • Cooperative Extension 
      • College/unit standard operating procedures
Pyramid depicting levels of policy and regulations, from federal to individual university units.

UK Internal Audit (UKIA) systematically evaluates UK regulations, policies and procedures at all levels of the enterprise through a hierarchical lens (see diagram above). This ensures that each not only aligns with other related internal policies but also complies with all federal regulations, state statutes and industry standards to which the institution — and its divisions — must adhere.

Accordingly, UK’s policies at every level may be more — but not less — restrictive than those that rank above them in this hierarchy. For example, UK HealthCare may develop Information Technology policies and procedures for its needs in health care that are more restrictive than ITS’ University-wide policies and the University’s Human Resources policies and procedures may be more restrictive than UK’s Administrative Regulations. 

However, no unit may implement policies or procedures that are less restrictive or have lower standards of compliance than those that rank above it. Where a division/department/unit may have difficulty fulfilling the procedures to the letter due to size or other resource limitations, compensating controls should be developed in collaboration with the process owner such that the amended procedure is equally or more restrictive than the relevant higher-ranking policy. This ensures the overall risk that the policy or procedures are designed to maintain or minimize is not jeopardized.

Additionally, UKIA gauges UK enterprise policies and divisional/departmental/unit procedures through a "risk-based" lens to ensure they provide clear guidance that facilitates efficient and effective operations while maintaining proper internal controls that adequately protect the University.

UK Policy Reviews

UKIA's thorough knowledge of UK's internal regulations and policies and how they interplay, as well as the relevant federal regulations, state statutes and industry standards, enables us to provide a global perspective to assist divisions/departments/units with policy reviews and updates. If your unit would like UKIA’s assistance reviewing your policies for congruence and compliance, please contact us by email at internalaudit@uky.edu or by phone at 859-257-3126.

Frequently Asked Questions

Submit any questions you may have to internalaudit@uky.edu. UKIA will answer your question(s) directly. If it pertains to the wider-UK population, we will add the questions and corresponding answers here.

Q:  UKIA receives a number of questions from employees in divisions which have industry requirements that are more stringent than UK’s and, as a result, have to maintain records in far greater detail than UK needs – or even wants. They want to know to which they should comply. 

A: The answer is to comply with the one that is more restrictive/prescriptive. If UK requires eight data points and your unit’s policy requires your database to include those eight but has 10 others in addition due to industry requirements or federal regulations, then your unit is in compliance with UK’s policy as what is being provided is more, not less than UK’s requirement.

Q: UK’s (policy x) does not specifically mention specific federal regulations or industry requirements. Is my unit still expected to follow the federal regulation or state statute?

A: UK’s regulations and enterprise level policies and procedures are developed in collaboration with General Counsel to help ensure that they align with the federal regulations and state statutes as well as many high-level, high-profile industry requirements, such as SACS-COC and NCAA. While they may not reference specific laws or industry requirements, it is expected that all University operations comply with all federal and state laws. Should you come across an activity that does not appear to be in compliance, please reach out to UK Internal Audit for guidance.