Professional Documents
Culture Documents
Finance Conference - Compliance Combined
Finance Conference - Compliance Combined
Overview of Compliance
Lukasz Bohdan - Director of Assurance
Tax Compliance
Sally McKinlay – Head of Tax
How can we solve an issue
like compliance?
Finance Conference
Lukasz Bohdan
Director of Assurance
24 November 2021
Outline
5. Next steps
What’s the issue we are trying to address?
We don’t truly understand the extent of the problem as our reporting and
assurance arrangements are underdeveloped but based on what we do
know…
•In some, although important (!) areas the University* is not compliant with
the law (e.g. GDPR, H&S) and its own policies and does not follow current
good practice (e.g. counter-fraud, whistleblowing), consequently:
•We are sitting on a number of risks which expose the University to a range of
significant/unpalatable consequences (see next slide)
Uninsurable risk
Reputational
Major Incident and/or higher
damage
insurance premiums
Management time
and costs of
Corporate and
investigations,
personal liability
disciplinary
Impact on processes etc.
recruitment and
retention
What are we going to do about this? Develop a
prioritised programme of work, mindful of other
competing demands
Some suggested principles to guide this work
•Risk-based approach – focus on mitigating the greatest risks first, but mindful of the need to:
– work in partnership and distribute the necessary work between the centre v. divisions/departments/faculties
– consider other workload impacts on divisions and departments and timetable work accordingly
– start with the areas where there is support for action
•Doing it with you, not to you – engaging with divisions, departments faculties and services. Where possible use the existing fora for
engagement
•Make best use of resources – look at end to end processes and respective roles of central functions, divisions, departments/ faculties
•Don't let the perfect be the enemy of the good – informed by good practice, but pragmatic, proportionate solutions that fit the
Oxford’s context
• Known high risk (on the University Risk Register or Principal Committees’/Divisional Risk
Registers and/or identified through internal audit/ other assurance work – e.g. GDPR
• Divisional/departmental capacity to tackle – i.e. absolute headroom and picking the right
time so this work fits around other things already going on
Risk, Compliance and Assurance areas in need of development –
with University-wide impact
Area Priority Impact on
departments / divisions
International Collaboration, Security and Export Controls M-H L
Fundraising/donations ? ?
• Data protection: actions in response to audit findings and priorities agreed with Divisions
• Divisions: leadership, support, conduit between the centre and departments/ faculties.
Division-specific centres of excellence Assurance over departmental/faculty activities.
Manage the complete picture of demand coming from ‘the centre’
• Departments/Faculties: local leadership: setting expectations; dealing with case work (low
complexity, high volume); investigations etc.
Next steps
• Further engagement with Divisions, HAFs DAs and local champions to fine-tune the approach and agree timing and
priorities
Tackle one issue a term (e.g. aspects of GDPR; export controls): first, the ‘centre’ develops the framework, tools, templates,
training etc. Next, take advice and test/pilot with a small group of departmental/faculty reps. Then, the following term,
we ask departments/ faculties/ services to tackle the issue (with the Divisions acting as a conduit, supporting the work ).
Enabled by:
– Engagement with HAFs, local champions and senior academics (e.g. via Divisional Registrars and Divisional GPCs)
– Upskilling people on the ground: professional networks; training; coaching etc.
– Termly ‘push’ with supporting materials (e.g. template emails, case studies etc.)
– Better processes and systems
Q&A
1. Do you agree with the diagnostic and the need for change?
•https://www.sli.do/
BROAD SANCTIONS
•North Korea – banks will not facilitate any payments (directly or
indirectly) to/from
Iran – have to seek permission from the bank prior to making or
receiving a payment. Unlikely to be approved.
NARROW SANCTIONS
•Other countries – Seek advice before making or receiving a
payment: Cuba, Syria, Crimea, Venezuela, Sudan,
•Care needed: Russia, Afghanistan, Myanmar, Belarus (and
others)
Due diligence
“Due diligence is the investigation or exercise of care that a
reasonable business or person is normally expected to take
before entering into an agreement or contract with another
party”
Should be undertaken when accepting
•Donations
•Research
•Student/Course Fees
•Taking on new customers/suppliers (KYC)
See AML web page https://finance.admin.ox.ac.uk/anti-money-laundering-guidance
University responsibilities
(2) To manage the tax risks and opportunities arising from routine operations;
Training video
https://finance.admin.ox.ac.uk/criminal-finances-act-old#tab-1165416
The University’s central compliance list
For example:
-Definition of medical substances used for medical research
-Software used for medical research
Imports/Exports – big issue