The Audit, Compliance and Risk Committee of the Board of Visitors convened Friday to review the FY2025 Financial Statement Audit Progress Report and hold discussions on privacy and compliance at the University. Following its open session, The Committee met in closed session to receive legal advice from University Counsel related to compliance risk assessments and to discuss financial and business decisions concerning the University’s Health System.
The Committee plays a key role in carrying out the Board’s fiduciary duties, meaning its legal and ethical obligations to act in the best interest of the University, around financial statements. The Committee also controls institutional compliance and risk management.
Gary Nimax, assistant vice president for compliance, led the discussion on updated compliance policies and practices to maintain a safe and open working environment at the University and Medical Center.
Within the discussion of compliance, Director of Privacy Programs Meredith Mays Espino introduced the Privacy Management Accountability Framework that intends to guide compliance efforts to comply with federal, state, international and University-specific regulations. By maintaining this framework, Espino said the University is in the process of adopting the system as an overarching set of policies over all privacy practices in the academic division, something the University lacked before its implementation began.
Prior, the University did not have a comprehensive governing policy related to privacy, but instead employed dozens of discrete policies for the handling of personal information specific to various divisions of the University.
According to Espino, the overarching framework’s streamlining benefits are vast.
“The framework provides a governance structure, guidance on embedding privacy into operations, lays out how to monitor operational and data handling practices and requires tracking of new laws, regulations and best practices,” Espino said.
Besides reviewing University privacy policies and ensuring regulation standards are met, Espino has created a website for University members to obtain information on the University's privacy policies and individuals’ privacy rights.
Committee member David F. Webb asked about the role of parents when it comes to a student’s privacy and what the voluntary waiving of privacy to disclose academic information to parents looks like. Nimax confirmed that students complete documentation through their Student Information System in regards to privacy waiving for parents or legal guardians.
Transitioning to compliance at the University, Nimax presented on the structure of the compliance system. He explained the policies and training currently in place to ensure faculty and staff have easy access to reporting mechanisms and know their responsibilities when it comes to compliance.
The University must comply with federal, state and other regulatory requirements, and Nimex said that the widely considered best practices come from the Seven Elements of an Effective Compliance Program. These elements include oversight and periodic reporting of compliance to the Board, effective training and communication, systems for monitoring and reporting suspected wrong-doing without fear of retaliation and reasonable steps to respond to and prevent offenses.
Board Member Doug Wetmore asked Nimax about the independence of departments within the University to manage their own compliance and whether employees have adequate means of reporting concerns. Chief Operating Officer Jennifer Wagner Davis responded that employees have adequate means of communicating instances of failed compliance.
“If there's a situation where an employee feels a supervisor or a colleague is blatantly violating a policy or procedure, there are multiple channels in which that person can raise their concern and have protection,” Wagner said.
To report concerns, University members may either call the compliance helpline or complete a web intake form at report.virginia.edu. Whistleblowers may choose to retain anonymity — Nimax said about one-third do — and that the singular helpline reduced confusion as opposed to having multiple helplines for various departments of the University. Of the reports, Nimax said that about two-thirds are fully or partially substantiated.
Krista Barnes, chief corporate compliance and privacy officer for U.Va. Health, presented a compliance update for the Medical Center. According to her presentation, the number of reported incidents has significantly increased this year from 719 in FY24 to 942 in FY25, which she believes demonstrates trust in the compliance system and accessibility of the reporting mechanisms. Nimax agreed with Barnes that the high number of documented investigations this year — 600 — reflects the success of the Medical Center’s compliance efforts.
“Some organizations fall into the trap of thinking that no reports means there are no problems, and that's definitely not the case,” Nimax said. “It's better for us to identify these issues ourselves and deal with them proactively.”
Nimax additionally presented the Board with the Code of Ethics for faculty and staff, which is included as part of the new employee onboarding process. The Code lays out guidelines for topics like respect in the workplace, reporting without fear of retaliation, how to manage conflicts of interest, and gifts and gratuities.
Augie Maurelli, vice president for finance and chief financial officer, provided the FY2025 financial and audit update. According to Maurelli, the University is ahead of schedule and will hear of the outcome of the update in December as to the state of the University’s audits.
Following its open session, the Board entered closed session to receive legal advice from University Counsel concerning the University-wide compliance risk assessments. The compliance review that extends to all 12 schools comes on the heels of the Board’s March 7 resolution to the Office of Diversity, Equity, Inclusion and Community Partnerships at the University and aims to ensure compliance with this resolution, as well as state and federal law.
Also in closed session, the Board discussed strategic financial and business decisions regarding the Health System.
Vice Rector Porter Wilkinson concluded the meeting by praising the University’s commitment to compliance and thanking those who work to ensure the University continually meets regulations.
“We do have a robust culture here, both culture of compliance and of reporting, and we have all of you to thank for that,” Wilkinson said. “The Board is here to help you … but we really appreciate the work that you do … to make sure that this university is in compliance across the academic division and the Medical Center.”
The Audit, Risk and Compliance Committee will reconvene at the Board’s next meeting Dec. 4-5.
Read More
Academic and Student Life Committee discusses research funding and AI
By Lucia Gambacini | 5 hours agoAs of Aug. 26, the University has lost $73.6 million in terminated grants.
Advancement Committee reports record fundraising figures
By Bertie Azqueta | 23 hours agoThe Honor the Future campaign ultimately ended with about 258,000 individual donations across 6 years compared to an alumni base of about 275,000.
EDITORIAL: Virginia’s political parties have left our universities boarded up
By Editorial Board | YesterdayThe destabilizing consequences of the present appointment process have revealed critical and unsustainable fault lines that rest within our political system.
