2/23/2018. Compliance governance and landscape What are the rules, and who makes them? Presentation content. Session objectives

Transcription

1 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2/23/2018 Compliance governance and landscape What are the rules, and who makes them? Presentation content > Overview of the compliance environment for higher education institutions > Federal sentencing guidelines and establishing an effective compliance program > Compliance governance and internal audit s role 2 Session objectives > Understand a university s compliance environment > Recognize the relevant standards governing higher education institutions > Know how to distinguish which rules apply to your institution, and what standards, or criteria, to audit against > Understand internal audit s role in compliance > Understand the benefits of working together with compliance and general counsel 3 1

2 2/23/2018 Overview of the compliance environment for higher education institutions 4 The compliance environment complexity of higher education operations > Institutions of higher education are dynamic, complex organizations. They are faced with many of the concerns of a standard business or for-profit organization, often managing budgets to rival Fortune 500 companies. > Institutions also must adhere to a specific mission, typically focused on scholarly achievement, research, and public engagement. > Institutions employ thousands of faculty and staff to support the thousands of students and other stakeholders. These operations span numerous areas of activities, and often cross borders and jurisdictions (locally, nationally, and internationally). 5 The compliance environment example scope of university operations Operational Areas Main Campus Satellite Campus(es) Athletics Online Programs International Programs Other Off-Campus Programs Shared Services Student Support Services Information Technology Sponsored Research Treasury/Finance/ Accounting Human Resources External Relations/ Fundraising University Tools and Resources Enterprise-Wide Systems Internal Working Groups Disaster Preparedness Program Risk Assessments Outsourced Relationships/ Partnerships Sponsorships/ Contracts 6 2

3 2/23/2018 The compliance environment breadth of compliance concerns > Based on the complex operating structure of higher education institutions, there are a great number of compliance concerns that must be addressed and monitored: - Academics/accreditation - Advancement/development - Affiliated entities - Athletics - Data privacy and security - Disaster preparedness and recovery - Diversity and equality - Employment - Endowments - External advertising/social media - Facilities (including accessibility) - Financial aid - Financial reporting - International regulations - Public safety and security - Sponsored research - Taxation and not-for-profit status 7 The compliance environment what are the applicable rules? Federal Higher education institutions are subject to a wide range of regulations across all areas because of the breadth and depth of these requirements (over 450 distinct compliance requirements). Some examples of regulations include: Americans with Disabilities Act (ADA) Employment Laws Family and Medical Leave Act (FMLA) Foreign Corrupt Practices Act (FCPA) Family Educational Rights and Privacy Act (FERPA) Federal Sentencing Guidelines Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Higher Education Act (HEA) Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act) Occupational Safety and Health Administration (OSHA) Tax code Title IX Uniform Guidance 8 The compliance environment what are the applicable rules? State and Local Employment Laws Zoning regulations International Data Privacy, including General Data Protection Regulation (GDPR) Employment Laws Export Controls Other Accreditation Institutional Data Reporting to the Integrated Postsecondary Education Data System (IPEDS) National Collegiate Athletic Association (NCAA) guidance Research regulations 9 3

4 2/23/2018 The compliance environment sample compliance requirements by institutional area Academics/ Accreditation Athletics Data Privacy & Security Diversity & Equality > Must comply with HEA and the Higher Education Opportunity Act (HEOA) > Must have NCAA committee/ compliance coordinator > Must comply with regulations such as HIPAA and FERPA > Must have Title IX Coordinator responsible for responding to reports of sexual violence Employment Financial Aid Physical Safety & Security Sponsored Research > Must comply with FMLA, Equal Pay Act, and Equal Employment Opportunity > Must report financial and institutional data to IPEDS, GLBA compliance > Must comply with the Clery Act, OSHA, and ADA > Must comply with new Uniform Guidance (2 CFR 200) and research requirements by sponsor 10 The compliance environment regulatory order of precedence > When a situation arises, institutions must identify which requirements are applicable, and often must decide which requirements take precedence. Further, institutions will often be held to any standard they follow that is more stringent than the ones applicable to the given stakeholder. Example: If an institution is subject to laws from their local jurisdiction (which are more strict than state or federal laws), state or federal agencies will often assess compliance against local jurisdiction laws 11 The compliance environment regulatory order of precedence and risk prioritization > Institutions are expected to have processes which comply, at a minimum, to federal standards, but many institutional policies will further define requirements for operations > Compliance requirements impact how risk areas are prioritized in a risk assessment. Additionally, having organized processes with clearly defined roles and responsibilities helps to prioritize institutional risks > Risk assessments should integrate with institution-wide risk management systems, assessing the organization and its activities as a whole, including organizational structures, recent organization changes, and leading practices 12 4

5 2/23/2018 The compliance environment example regulatory order of precedence for research awards > Research awards may be subject to additional conditions or regulations depending on the awarding agency or project sponsor - Institutions will be audited against the most stringent standards applicable (assuming they meet the minimum standards required) - Internal audit needs to be sure that they understand which requirements take precedence, and therefore would be used as the audit standard Institutional policies Award terms and conditions Sponsoring agency policy statement(s) Federal laws and regulations 13 The compliance environment key stakeholders > With the high numbers of compliance areas and requirements, institutions are also facing oversight and scrutiny from a large number of constituents: - Federal government - Students - State government(s) - General public - Local government(s) - Parents - Research sponsors - Faculty - Board members - Alumni - Donors - Community 14 The compliance environment organizing for compliance > The structure, location, and dedicated resources of a compliance organization (compliance office) will vary by institution > Some follow a centralized model, with a specific office responsible for compliance activities. Others have multiple offices overseeing the various aspects of compliance > Focus of a compliance office is on institutional compliance > Objective of a compliance office is to promote an ethical and compliant environment > The compliance office is a function of management and is responsible for reporting their activities and findings, including often reporting to the board 15 5

6 2/23/2018 Federal sentencing guidelines and establishing an effective compliance program 16 Federal sentencing guidelines and establishing an effective compliance program What it is: Guidelines created by the Sentencing Reform Act of 1984, issued by the United States Sentencing Commission. Who s included: Individuals and organizations convicted of felonies and serious (Class A) misdemeanors. Purpose of regulation: Details a uniform sentencing policy in the U.S. court system. Courts and prosecutors are required to make choices regarding prosecution, settlement, and the size of fines based on the Sentencing Guidelines. In addition (and likely more applicable to your institution), the Guidelines detail the requirements of an effective compliance and ethics program for an organization (Chapter 8, Part B Manual Federal sentencing guidelines and establishing an effective compliance program In addition, and more applicable to your institution, the Federal Sentencing Guidelines detail the requirements of an effective compliance and ethics program for an organization: Chapter 8, Part B2.1 or 2016 Manual (still in effect)

7 2/23/2018 Federal sentencing guidelines and establishing an effective compliance program Chapter 8, Part B2.1(a) To have an effective compliance and ethics program, for purposes of subsection (f) of section 8 C 2.5 (Culpability Score) and subsection (b) (1) of section 8 D 1.4 (Recommended Conditions of Probation Organizations), an organization shall - (1) Exercise due diligence to prevent and detect criminal conduct; and (2) Otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct. 19 Federal sentencing guidelines and establishing an effective compliance program (b) Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following: (1) The organization shall establish standards and procedures to prevent and detect criminal conduct; (2) (a) The organization s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program 20 Federal sentencing guidelines and establishing an effective compliance program (2) (b) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program (c) Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to highlevel personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority 21 7

8 2/23/2018 Federal sentencing guidelines and establishing an effective compliance program (3) The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program (4) (a) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subparagraph (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals respective roles and responsibilities (b) The individuals referred to in subparagraph (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization s employees, and, as appropriate, the organization s agents 22 Federal sentencing guidelines and establishing an effective compliance program (5) The organization shall take reasonable steps (a) To ensure that the organization s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct; (b) To evaluate periodically the effectiveness or the organization s compliance and ethics program; and (c) To have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation 23 Federal sentencing guidelines and establishing an effective compliance program (6) The organization s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct (7) After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization s compliance and ethics program 24 8

9 2/23/2018 Federal sentencing guidelines and establishing an effective compliance program (c) In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process. 25 Federal sentencing guidelines and establishing an effective compliance program leading practices Leading practices include: As part of maintaining an effective compliance and ethics program, an institution is required to conduct periodic risk assessments and modify the program appropriately to reduce the risk of criminal conduct. > Comprehensive, ongoing risk assessments (senior leaders analyzing and prioritizing risks) > Self-governing ethical culture (establish and publicize a hotline for reporting non-compliance) > Institution-wide compliance code and policy understanding (annual communications) > Annual reporting of prior year risk management plans compared to accomplishments and fiscal year plans. > Periodic meetings between the audit committee and management to review the university s major business risk exposures (compliance, financial, operational, reputational, strategic, emerging, etc.) and inquire of management how key risks are identified, evaluated, and managed 26 Compliance governance and internal audit s role 27 9

10 2/23/2018 Compliance governance the case for compliance audits > Why should institutions perform audits and reviews of compliance? > Compliance reviews provide an independent review of management and operations. > While institutions face a litany of risks across areas of finance, strategy, and operations, risks related to compliance typically make their way toward the top of any institution s risk assessment. - Compliance risks are more likely to be closely linked to reputational harm or to find their way to the front page 28 Compliance governance the case for compliance audits > In addition to reputational harm, the cost of compliance for an institution can often escalate quickly and have serious impacts on its ability to respond to other concerns. - Potential fines, penalties, or loss of funding - Commitment of time and resources - Often require external assistance (e.g., consultants and lawyers) 29 Compliance governance examples of the cost of noncompliance > Michigan State sexual assault scandal - Former Michigan State employee and USA Gymnastics physician pleaded guilty to seven counts of first-degree sexual assault after being accused of sexually assaulting over 150 women and girls - The University is now being scrutinized for its handling of past Title IX investigations and their methods of internally dealing with sexual assault cases across the institution 30 10

11 2/23/2018 Compliance governance roles > To understand internal audit s role in compliance, it is first important to understand the difference between the objectives of the compliance function, general counsel, and internal audit - The compliance function is a component of the internal control structure (management) - General counsel is a component of risk management (management) - Internal audit assesses and reports on the internal control structure (independent of management) 31 Compliance governance IIA s Three Lines of Defense Source: The Institute of Internal Auditors (IIA) 32 Compliance governance internal audit s role > Internal audit works on behalf of an institution, helping to: - Evaluate and review systems, processes, and procedures to help achieve desired goals and objectives - Assess the design of policies and controls - Assess compliance with federal regulations - Evaluate risks existing within current operations > Reviews may be focused on an organizational level or on specific departments or awards 33 11

12 2/23/2018 Compliance governance compliance s role > Management of university s policy publication process > Communication and training to the university of content of selected policies > Management of confidential/anonymous reporting process > Collaboration with general counsel and IA in investigations/reviews > Coordination of annual risk assessment process > Monitoring of compliance activities and processes 34 Compliance governance general counsel s role > Management of university s legal issues > Communication of laws that are applicable to university operations > Assisting the university in complying with local, state, federal, and international laws > Collaboration with compliance and IA in investigations/reviews > Advising on legal and regulatory questions related to the university's activities (e.g., transactional matters, dispute resolution, and policy formulation) > Representing the interests of the university in administrative and judicial proceedings 35 Compliance governance sample organizational structures Board of Trustees Audit, Compliance, and Management Review Committee Chancellor Executive Compliance Committee Internal Audit Committee Compliance Officer Chief Audit Executive Functional Administrative and Functional 36 12

13 Environmental Health and Radiation Safety (OSHA, Hazardous Materials) (SEVIS, Immigrations Compliance) Affirmative Action (Equal Opportunity, Title IX, Discrimination, Harassment) (FERPA, HIPAA, HEOA, Diversity Issues, etc.) (PCI, Gramm-Leach- Bliley, e-discovery) 2/23/2018 Compliance governance sample organizational structures University Board of Trustees University President Audit Committee Chancellor Chief Audit Executive Institutional Ethics and Compliance School Audit Team Chief Compliance Officer Institutional Ethics and Compliance Director School Compliance Office Quality Assurance Team All people who manage a compliance risk Functional Administrative and Functional 37 Compliance governance sample organizational structures Board of Trustees Medical School Executive Committee Medical School Audit Committee Medical School Dean Hospital CEO President University Trustee Audit & Compliance Committee Executive Vice President (EVP) VP of Audit, Compliance and Privacy Functional Administrative and Functional 38 Compliance governance sample organizational structures Key Roles in Compliance Offices that provide compliance support such as tools, training and investigation assistance to address compliance concerns and risks. Office of Institutional Compliance Office of the General Counsel Offices whose responsibilities predominantly involve compliance. Institutional Animal Care and Use Committee (Animal Welfare) Office of Research Integrity School of Medicine Human Research Protections (IRB) Office of the Vice Provost for Research (COI, Research Misconduct) University Privacy Officer (HIPAA, Breach Notification) Offices who have multiple responsibilities including compliance. Finance (Tax, Payroll) Student Registration and Financial Services (FERPA, Title IV) Human Resources (FMLA, FSLA, COBRA, ERISA) Office of Human Research (Human Subjects Protection) Athletics (NCAA, Title IX) University Laboratory Animal Resources (Animal Research) Public Safety Technology Transfer (Clery, HEOA) (Patents) Office of Research Services (Uniform Guidance) Vice Provost for University Life Privacy Liaisons & HIPAA Privacy Officers Facilities and Real Estate Services (Building Codes) International Programs Information Systems and Computing 39 13

14 2/23/2018 Compliance governance how and when should internal audit get involved? > Internal audit can begin an audit or review in a number of ways: - Area of focus from risk assessment - Standard audit plan activity - At the request of a department or process owner - As a result of recent hot topics or external audits - Whistleblower/allegation IA doesn t just find fault and create more work! IA can help to evaluate or assess controls at any phase of a project, including: initial design (cannot actually create the design), implementation, beta testing, roll-out, or any other time there may be a concern. 40 Compliance governance internal audit s relationship with other audit organizations > While financial statement, sponsor auditors, and other governmental auditors/regulators are working to provide assurance to external sources, internal audit is helping to promote compliance and efficiency. Possible activities include: - Process reviews - Program/project-specific audits - System audits - Fraud investigations - Education/trainings INFORMATION SHARING ON AUDIT AREAS Internal Audit External Auditors 41 Compliance governance internal audit s relationship with other audit organizations > Internal audit may work in conjunction with the external audit teams or help the institution coordinate other external reviews. These reviews can include: - Working with governmental departments during federal investigations (e.g., Department of Education and NSF) - Working with the university s NCAA committee, Title IX Coordinator, and other department leads - Working with the university to self-report audit findings (public institutions may be subject to the Freedom of Information Act) - Working closely with compliance and general counsel 42 14

15 2/23/2018 Compliance governance a balancing act Process improvement Innovation reviews Operational areas Cross-cutting Financial controls reviews Business continuity Compliance audits Risk analysis VALUE CREATION ADVISORY AND VALUE PROTECTION ASSURANCE INTERNAL AUDIT 43 Compliance governance collaboration between compliance, general counsel and internal audit > Collaboration between compliance, general counsel, and internal audit can lead to stronger business practices in meeting stakeholder expectations. The following areas are often where the responsibilities and expertise of compliance, general counsel and internal audit benefit from collaboration: - Linking the audit plan and risk assessment - Providing assurance that critical risks are being effectively mitigated - Cross-leveraging each function s respective competencies, roles, and responsibilities - Providing communication depth and consistency, especially at the board/management level - Assessing and monitoring strategic risks - Providing deeper understanding and focused action 44 Compliance governance sample collaboration leading practices In order to enhance collaboration between compliance, general counsel and internal audit, it is important to increase communication and develop a common language. The following are sample leading practices to follow to increase the university s value from collaboration. Sample leading practices include: > Periodic, reoccurring meetings between compliance, general counsel, and internal audit > Establishing an Enterprise Risk Management (ERM) function that includes compliance, general counsel, and internal audit > Coordinating joint training programs to reach an institution-wide audience > Sharing reports to highlight areas of mutual interest, increase awareness, and ultimately lead to management action 45 15

16 2/23/2018 Compliance governance internal audit and confidentiality > Information obtained or produced by an internal audit department is confidential and not subject to disclosure outside the university unless there is a legal or professional obligation to do so > Investigations arise from: - Monitoring and review process done by IA and/or management - Reports to the anonymous hotline - Requests from compliance, general counsel, board members, or other senior leaders - Complaints filed with the compliance office or office of general counsel 46 Compliance governance Attorney-Client Privilege (ACP) > ACP protects communications between attorneys and clients under certain circumstances > ACP generally applies to communications: - Between an attorney and the client; - Made in confidence; and - For the purpose of seeking or providing legal advice > ACP can apply to internal audits when certain requirements are satisfied 47 Compliance governance ACP and internal investigations > ACP only applies when an internal investigation was primarily conducted for legal reasons, business reasons are insufficient - Applies if an internal investigation is directed by a university s in-house counsel - Legal counsel should be consulted at the onset of an investigation > ACP does not apply to internal investigations conducted solely to satisfy external laws or internal policies - Investigations initiated to satisfy external laws or internal policies are at the direction of legal counsel if obtaining legal advice was a significant purpose of the investigation - These investigations are not conducted at the direction of legal counsel or to provide legal advice - The university does not need to seek guidance from outside counsel 48 16

17 2/23/2018 Compliance governance summary of internal audit s role > Operating as a forward-looking, consultative function > Anticipating and managing risks proactively > Enabling business and process improvements > Supporting the viability of its operations > Reviewing departments that may have risk issues or require controls validation > Reviewing process changes or confirming that existing processes are followed consistently and in accordance with documented policies > Providing additional voice to the board > Offering another perspective looking from the outside in 49 Compliance governance summary of internal audit s role > Providing a pragmatic approach to risk and control > Orienting internal audit activities to align with the university s strategic goals > Focusing work and reporting on where the university would like to be in the future > Providing the university with recommendations that improve overall operations without increasing the number of controls or resources, if possible, but by realigning the use of existing resources > Recommending additional controls or resources only when they are needed to mitigate risk 50 Any questions? 51 17

18 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2/23/2018 The Title IX risk landscape What you need to know Agenda > Objectives > Elements of Title IX: The legal aspect > Major risks associated with Title IX > Practical approaches for assessing compliance with Title IX > Resources 2 Objectives > Become familiar with the legal elements of Title IX guidance > Identify risks associated with Title IX > Identify issues to look for in each area and tips for auditing 3 1

19 2/23/2018 Elements of Title IX The legal aspect 4 Timeline: Federal law and guidance on sexual assault April Title IX of the Dear Colleague Letter Education (DCL): Sexual Violence Amendments to the Civil Rights Act of February Violence Against Women Act (VAWA) signed into law 2014 April Office for Civil Rights (OCR) Questions & Answers (Q&A) 2015 April DCL: Title IX Coordinators 2016 May DCL: Rights of Transgender Students 2017 September The DOE withdraws 2011 DCL and 2014 Q&A 2014 White House Task Force and Notalone.gov 2014 October VAWA Final Rule 2015 July VAWA Final Rule Effective February The DCL and The DOE Q&A on Campus withdraws the Sexual DCL: Rights of Misconduct Transgender issued as interim Students guidance 5 Recently issued guidance Dear Colleague Letter and Q&A on Campus Sexual Misconduct September 22, 2017 I II III IV Withdrew previous guidance, including the 2011 DCL and 2014 Q&A on Title IX and Sexual Violence Criticized the prior administration for issuing the letter and Q&A without the appropriate public notice-and-comment period Issued interim guidance and plans to begin a public notice-and-comment period to incorporate the insights of all parties The Revised Guidance (2001), and the DCL on Sexual Harassment (2006), are to be used in assessing schools compliance with Title IX 6 2

20 2/23/ DCL and Q&A on Campus Sexual Misconduct Key items addressed in the newly issued Q&A, which reiterated and clarified some aspects of previously issued Title IX guidance, include: > Standard of proof > Rights of both parties > Alternative means of resolution > Application of interim measures > Time frame for resolution > Impartiality within adjudication process > Written notice of decision > Free speech protections 7 Standard of proof > In investigating allegations of sexual misconduct, schools should use either a preponderance of evidence standard or a clear and convincing evidence standard > The standard used must be consistent with the standard of evidence used in other student misconduct cases > Previously issued Title IX guidance directed schools to use only a preponderance of evidence standard 8 Rights of both parties > Rights or opportunities, including access to the investigation report and the opportunity to respond to the report in advance of a hearing, must be offered to both parties during an investigation > Written notice must be provided to the responding party with sufficient details to allow for response, including the identities of the parties involved, the specific violation of the code of conduct, the conduct allegedly resulting in the violation, and the date and location of the incident 9 3

21 2/23/2018 Alternative means of resolution > If both parties in a sexual misconduct complaint agree to participate in an informal resolution and the school determines the nature of the complaint is appropriate for such a resolution, the school may facilitate informal resolution, including mediation, to resolve the complaint > Both parties must receive a full disclosure of the allegations and the option to proceed with a formal resolution 10 Application of interim measures > If the school determines it is appropriate to take interim measures (e.g., counseling, modifications of work and class, schedules, leaves of absence) during the investigation of a complaint, the interim measures must be made available to both parties and not be applied in a manner that favors one party over the other > Schools must make every effort to avoid depriving any student of her or his education when implementing interim measures 11 Time frame for resolution > There is no fixed time frame during which a school must complete an investigation > OCR will assess schools good faith effort to conduct a fair and impartial investigation > Previously issued guidance indicated that schools should aim to conclude most investigations within 60 days 12 4

22 2/23/2018 Impartiality within adjudication process > The following should not apply sex stereotypes or generalizations: - Training materials for investigators - Training materials for investigate techniques - Decision-making techniques used in the adjudication process > The Q&A indicates such materials or techniques may violate Title IX and should be avoided so that the investigation proceeds objectively and impartially 13 Written notice of decision and appeal process > The rationale for the decision made and any sanctions applied should be included in the notification to the complainant and respondent of the institution s decision > Sanctions must be proportionate to the violation and consider the impact of separating a student from his or her education > If a school chooses to allow appeals from its decisions regarding responsibility and/or disciplinary sanctions, the school may choose to allow appeal solely by the responding party or by both parties 14 Free speech protections > In regulating the conduct of students and faculty to prevent or redress discrimination, schools must formulate, interpret, and apply their rules in a manner that respects the legal rights of students and faculty, including those court precedents interpreting the concept of free speech > Refers to the First Amendment: Dear Colleague Letter issued in 2003, which states that, the offensiveness of a particular expression, standing alone is not enough to create a hostile environment and that harassment must be sufficiently severe, persistent, or pervasive as to limit or deny a student's ability to participate in or benefit from an educational program 15 5

23 2/23/2018 Title IX enforcement > Responsibility of Department of Education (ED) Office for Civil Rights > Penalties available at present include only the loss of eligibility for all federal funding; proposed legislation would authorize a new civil fine of not more than one percent of an institution s operating budget for each violation > Number of open investigations for sexual harassment or sexual assault: 336 cases at 237 institutions as of June Clery Act/VAWA enforcement > Responsibility of ED Federal Student Aid > Penalties available at present include civil fines of up to $35,000 for each violation; proposed legislation would increase fines to up to $150,000 for each violation > Number of open investigations is unknown 17 Major risks associated with Title IX 18 6

24 2/23/2018 Clery Act/VAWA enforcement Institutions who are found to have Title IX compliance violations are at risk for: Community mistrust, reputational damage Loss of federal funding Lawsuits: OCR oversight 19 Areas of potential exposure 20 Department of Education investigations According to the Chronicle of Higher Education s tracking of Title IX sexual assault investigations: Since 2011, the federal government has conducted 458 investigations of colleges for possibly mishandling reports of sexual violence So far, 121 cases have been resolved and 337 remain open Resolved Open Title IX investigations since

25 2/23/2018 Examples from the news 2018 Investigations find MSU has a pattern of widespread denial, inaction and information suppression of sexual assault, violence, and gender discrimination complaints. ESPN, Outside the Lines Investigation 2017 Big 12 Withholding 25% of Revenue from Baylor pending review of Title IX Changes USA Today 2016 Florida State settles for $950,000 in Jameis Winston rape case CNN 2015 UVA Fostered Hostile Environment for Sexual Assault Survivors USA Today 2016 Kansas State s indifference to one rape helped lead to another. The Washington Post 22 Practical approaches for assessing compliance with Title IX 23 Practical approaches and tools for Title IX compliance Understand the language of Title IX, the Office for Civil Rights interpretation of the Revised Guidance (2001), the DCL on Sexual Harassment (2006), and the 2017 Dear Colleague Letter and interim guidance Evaluate current practices, policies, and procedures to effectively handle Title IX complaints related to sexual misconduct involving students, faculty, staff, and third parties across campuses. Ensure key administrators and hand off points are defined Work with process owners, General Counsel, and/or your Compliance office to assess your institution s effectiveness in its response to Title IX compliance and student safety (e.g., sexual assault policies, procedures, investigations, hearings, and resources) 24 8

26 2/23/2018 Practical approaches and tools for Title IX compliance, cont. Use resources published by the White House Task Force on Protecting Students from Sexual Assault, which include a report detailing best practices for prevention of and response to sexual assault, a checklist for campus sexual misconduct policies, and key components of crisis intervention and victim service resources Bring in external support or subject matter experts to assess compliance and/or the effectiveness of implementation of the university s policies and procedures 25 How Internal Audit can help Assessing institutional compliance with Title IX regulations Identifying areas of institutional risk and exposure related to Title IX compliance Designing a Title IX process framework Revising policies and procedures to maintain compliance 26 Example criteria for evaluating policies and procedures Policies and applicability > University policy, including grievance procedures, applies to sexual harassment of students by teachers and other employees, by other students, and by third parties > The policy defines a hostile environment, determined by factors such as: - The degree to which the conduct affected one or more students' education - The type, frequency, and duration of the conduct - The identity of and relationship between the alleged harasser and the subject or subjects of the harassment - The number of individuals involved > Policies refer to the university's requirements under the Clery Act 27 9

27 2/23/2018 Example criteria for evaluating policies and procedures, cont. Investigation of complaints > In cases involving potential criminal conduct, university personnel determine whether appropriate law enforcement authorities should be notified > Procedures include a provision prohibiting retaliation against any individual who files a complaint or participates in a harassment inquiry > Both the reporting and responding parties are given the opportunity to respond to the report in writing in advance of the decision of responsibility and/or at a live hearing to decide responsibility 28 Example criteria for evaluating policies and procedures, cont. Written notice > University provides the responding party written notice of the allegations constituting a potential violation of the school's sexual misconduct policy, including sufficient details and time to prepare a response before any initial interview > University provides written notice to both parties (i.e., responding and reporting) in advance of any interview or hearing with sufficient time to prepare for meaningful participation > University provides written notice of the outcome of disciplinary proceedings to both parties concurrently 29 Example criteria for evaluating policies and procedures, cont. Training and remediation > All designated employees receive adequate training as to what constitutes sexual harassment and are able to explain how the grievance procedures operate > Employees with the authority to address harassment are appropriately trained to respond, and responsible employees know they are obligated to report harassment to appropriate school officials - Employee training includes practical information about how to identify harassment and, as applicable, the person to who it should be reported 30 10

28 2/23/2018 Example criteria for reviewing Title IX cases Complaint documentation > Dates of complaint, initial meetings, hearings, and appeals > Hand-off points (e.g., with police, counseling services, Title IX coordinator) > Documentation of investigation, resolution, and any follow-up conducted > Written notices and communications, including notices of investigation, charges, conclusions, and appeals > Equity in rights of both parties 31 Case study Background A private, urban, research university to perform a review of Title IX processes, internal controls, and infrastructure surrounding sexual assault and sexual misconduct > Evaluated the institutions framework for Title IX compliance > Interviewed key stakeholders to understand processes and practices > Reviewed a sample of past complaints and the process for investigations > Assessed coordination and communication between key stakeholders Results Analytics Identified enhancements to documentation, clarification of roles and responsibilities, record retention, consistency of resources, internal reporting, and training 32 Key takeaways > Become familiar with issued guidance and resources > Ensuring that necessary hand-offs occur, consistent documentation of the investigation is maintained from start to finish, and the complainant and respondent have equivalent rights throughout the investigation process can help mitigate key risks > Consider collaboration with Compliance or subject matter experts to assist with reviews 33 11

29 2/23/2018 Questions? 34 Required disclosure and Circular 230 Prominent Disclosure > The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. > Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International Baker Tilly Virchow Krause, LLP 35 12

30 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2/26/2018 Athletics compliance, an introduction Take your best shot Agenda > Session objectives > In the news > Importance of athletics compliance > Internal audit s role in athletics compliance > High risk audit areas > Building a relationship with Athletics > Audit resources 2 Session objectives > Highlight matters in the news and internal audit s role > Understand the fundamental concepts and terms involved in supporting (and auditing) athletics programs > Highlight the role of internal audit in assessing athletics compliance > Identify other areas where internal audit can assist 3 1

31 In the news 4 News story #1 > FBI investigation An Adidas company executive, a sports agent, and University of Louisville (Louisville) coaches conspired to pay top recruits to play for Adidas-sponsored schools > Louisville s Director of Athletics and Head Men s Basketball coach were fired > Approximately 98% of cash provided by Adidas in current agreement with Louisville went to the former Head Men s Basketball Coach - Former coach filed a lawsuit against Adidas - Louisville is currently reevaluating a new $160 million sponsorship agreement with Adidas 5 NCAA legislation Athletic equipment and apparel > NCAA legislation prohibits the provision of athletic equipment and apparel to prospects/recruits, members of their families, friends, or their educational institutions during and after the recruitment process > Provision of athletic equipment and apparel to student-athletes is allowed when this apparel is necessary for practice and competition Representatives of the University s athletics interests > An institution has a responsibility for the conduct of its athletics program and this responsibility includes acts of individuals, corporate entities, or other organizations who are considered representatives of the university s athletics interests (e.g., boosters) > An expectation exists that the institution is monitoring the activities of all booster groups, regardless of whether these groups are under the control of the university s fiscal procedures 6 2

32 Internal audit s role How IA can address these risks > Determine whether the institution has controls to monitor and account for athletic equipment and apparel for student-athletes > Understand the institution s monitoring and oversight of coaches contacts, including recruitment contacts and additional contacts such as vendors and boosters > Review third-party vendor contracts to assess reasonableness of financial relationships established through the contracts > Review head coach and assistant coach contracts for high profile sports to understand financial obligations related to third-party vendors 7 News story #2 > Doctor for USA Gymnastics, faculty member at Michigan State, and team doctor for Michigan State Athletics > Found guilty of and sentenced to: - Sixty year federal prison term for child pornography convictions - Forty to 175 years in state prison after being found guilty of sexual assault charges > Accusations of sexual abuse date back to Internal audit s role How IA can address these risks > Determine whether the university is in full compliance with Title IX (focusing on civil rights and sexual assault internal controls) 9 3

33 Importance of athletics compliance 10 Importance of athletics compliance Address common risk areas: > Compliance > Reputational > Financial > Operational Conduct the following activities to reduce compliance risk: > Coordinate, educate, monitor, and verify compliance with all NCAA requirements and university policies and procedures 11 Importance of athletics compliance Issues to consider: > Institutional mission and goals > Athletics department mission and goals > NCAA compliance requirements > NCAA self-reported violations > Past problems and/or prior audits > External and internal interests > Public attention/scrutiny > Available resources and time 12 4

34 Importance of athletics compliance concept of institutional control > Administrative policies/procedures: Does the institution have policies/procedures in place both within and outside of the athletics department? Are these policies/procedures followed and monitored? > Educational programs: Do individuals who have responsibilities in the NCAA compliance area provide educational programs to Athletics and University personnel (e.g., Financial Aid Office, Admissions)? > Monitoring: Is the institution monitoring its compliance systems? 13 Internal audit s role in athletics compliance 14 Internal audit s role in athletics compliance IA can support athletics compliance in the following ways: > Perform an assessment of the implementation of the institution s policy and procedures > Consider any support that IA can provide management related to internal control initiatives or interests (e.g., audit recruiting procedures, media rights contracts) > Obtain an understanding of risks and opportunities related to a number of important operational areas identified by the NCAA 15 5

35 NCAA compliance areas > Governance and organization > Eligibility certification (including initial, continuing, and transfer) > Academic performance program > Financial aid administration > Recruiting (off and on-campus) > Camps and clinics > Investigations and self-reporting > Rules education > Athletic equipment and apparel > Complimentary admissions to athletic events > Student-athlete vehicles > Team travel > Representatives of the University s athletic interests > Playing and practice seasons > Student-athlete employment > Amateurism > Coaching staff limits and contracts > Sports Sponsorship 16 Internal audit athletics compliance assessment > While it is no longer a NCAA requirement to have a four year compliance assessment process, it is still a good practice to review compliance and evaluate the risk at your university > Refer to the Appendix for overviews and audit objectives of key compliance areas NOTE: NCAA Division I Manual Article Operating and Capital Financial Data Report requires an annual data report to NCAA that is verified by an independent accountant (typically the institution s financial statement auditor); this does not include the institution s compliance with NCAA legislation, it is solely related to the financial data. 17 High risk audit areas 18 6

36 Media rights Overview > Institutions negotiate contracts with media companies (e.g., IMG, Learfield, Collegiate Licensing Company) for the rights for radio and television broadcasts, Internet, and e- commerce rights > These contracts can represent a significant portion of revenue for the institution Audit objective > To determine whether terms and conditions in contracts are appropriate and the athletics department is able to meet all requirements TIP The contract usually indicates that the university has the right to audit. This right is rarely exercised, but could be an important audit area to the university to help understand revenue calculations and allocations. 19 Expense review Overview > Institutions often have expense policies that the athletics department is expected to follow, including guidelines for appropriate purchases and approval chains > Athletics departments expenditures include high risk transactions, such as travel, gear, and meals Audit objective > To determine whether university policy is followed for all athletics department expenses (e.g., meals and travel are reasonable and necessary) TIP Perform an annual audit of highlevel athletics department employees and high risk sports (football and men s and women s basketball), including individual coach expenses. 20 Building a relationship with Athletics 21 7

37 Building a relationship with Athletics Internal Audit can develop and strengthen a relationship with Athletics: > Participate in regularly scheduled Athletics meetings (e.g., monthly Coaches meeting, monthly Administrators meeting, monthly Compliance meeting) to gain a better understanding of issues, current events, NCAA updates, Athletics policies, and areas of improvement to help inform annual audit plan > Indicate that IA is here to help, not hinder It is not a gotcha function goal is to help improve performance and help them manage operational, compliance, and reputational risks > Ask to present to the Athletics group at one of the monthly meetings to provide an understanding of what IA does generally and provide specifics related to Athletics 22 Other general tips > Read what they read/stay on top of current events > Ask questions, do not assume you are the expert or you know more than they do > Follow protocol follow-up with your contact do not go above his/her head unless he/she is unresponsive > Go over findings at least once a week depending on project timelines, there should not be any surprises in the final report > Be sure to thank contact and Athletics staff for their assistance in the report and /verbally let the contact s supervisor know what a huge help he/she was, if appropriate 23 Audit resources 24 8

38 Audit resources NCAA Division I Manual NCAA Compliance Website NCAA Enforcement Website 25 Questions? Appendix 27 9

39 Initial eligibility certification Overview > An institution may not permit a student-athlete to represent the university in athletics competition unless the student-athlete meets all applicable eligibility requirements established by the NCAA, the member institution s conference, and the institution > The NCAA has specific standards that incoming students must meet prior to practicing, competing, and receiving institutional financial aid, which include graduation from high school with a minimum GPA, a certain SAT or ACT entrance exam score, and admittance to the institution per the university s normal admissions process Audit objective > To establish whether the athletics department has policies and procedures in place to determine and monitor student-athlete initial-eligibility based on NCAA legislation 28 Continuing eligibility certification Overview > An institution may not permit a student-athlete to represent the university in athletics competition unless the studentathlete meets all applicable eligibility requirements established by the NCAA, the member institution s conference, and the institution > After a student-athlete has completed his/her initial year in residence or used one season of competition, the athlete must meet the university s general requirement of progress toward degree as interpreted by the institution and several additional requirements as detailed in NCAA legislation. These include completing a certain number of semester hours since the last season of competition and the previous semester; and declaring a major and maintaining a certain GPA Audit objective > To establish whether the athletics department has policies and procedures in place to determine and monitor studentathlete continuing-eligibility based on NCAA legislation 29 Transfer eligibility certification Overview > An institution may not permit a student-athlete to represent the university in athletics competition unless the student-athlete meets all applicable eligibility requirements established by the NCAA, the member institution s conference, and the institution > A student-athlete who transfers from one member institution to another may need to meet certain NCAA requirements. Generally, an athlete must sit out from competition at the next institution for one academic year unless the athlete meets certain transfer exception requirements Audit objective > To establish whether the athletics department has policies and procedures in place to determine and monitor student-athlete initial-eligibility based on NCAA legislation 30 10

40 Financial aid administration Overview > A student-athlete may receive financial aid from the university or from certain sources outside the institution > The cost of attendance for an athlete to attend the university is calculated by the institutional financial aid office per federal guidelines and generally includes tuition and fees, room and board, books and supplies, transportation, and several other expenses > A student-athlete s maximum financial aid limit is the amount of the institution s cost of attendance Audit objective > To determine whether the institution has policies and procedures in place to administer and monitor the awarding of financial aid to student-athletes in accordance with NCAA legislation TIP Financial aid should be administered through the university s financial aid office (FAO). The athletics department should work with FAO to determine aid amount, but FAO administers process (e.g., award letters). 31 Off-campus recruiting Overview > NCAA recruiting legislation works to balance the interests of the prospect being recruited and the interests of the NCAA member who is attempting to gain the enrollment of the prospect of the institution > In several sports, including football and basketball, the annual recruiting calendar is split into the following four recruiting periods: - Contact/recruiting period - Quiet period - Evaluation period - Dead period Audit objective > To determine whether the athletics department is maintaining proper documentation to establish compliance with NCAA legislation governing off-campus recruiting activities and whether the department is in compliance with these recruiting regulations 32 On-campus recruiting Overview > A university can finance only one official visit to its campus by a prospect. This visit cannot exceed 48 hours and the university may assign a student host to entertain the prospect, with a maximum of $40 per day to cover costs of entertaining the prospect, excluding the cost of meals and admission to campus athletics events > A prospect may visit the university s campus at the prospect s expense on as many occasions as the university and the prospect wishes Audit objective > To determine whether the athletics department is maintaining proper documentation to establish compliance with NCAA legislation governing on-campus recruiting activities and whether the department is in compliance with these recruiting regulations TIP Athletic Business Office staff should be trained on permissible expenses related to official visits, to provide further assistance in monitoring compliance

41 Camps and clinics Overview > NCAA legislation allows student-athletes to be employed at institutional or private camps but must have similar responsibilities and pay to other employees > Prospects are not to be employed at institutional camps but may attend camps and pay the going rate Audit objective > To determine whether the athletics department maintains an adequate system, including policies and procedures, to establish compliance with NCAA bylaws governing sports camps and clinics TIP Many athletic departments establish a documented Camps and Clinics manual, which includes specific instructions on how a camp should be established and administered. 34 Investigations and self-reporting Overview > Administrative procedures both within and outside of the athletics department that are in effect and operational > Educational and training programs for individuals within and outside of the athletics department who have responsibilities in the NCAA compliance area > Monitoring programs to ensure that NCAA legislation is not being violated Audit objective > To ensure that a policy exists in writing concerning the review of information about potential violations of NCAA legislation and that specific individuals/titles are identified to undertake these responsibilities TIP Most universities will have minor violations that they self-report. Be concerned if your athletics department does not have any violations! Compliance should be monitoring and able to provide you with a report. 35 Rules education Overview > As discussed previously, in an effort to have strong institutional control over its NCAA compliance program, an institution is expected to have implemented: > Administrative procedures > Educational and training programs > Monitoring programs Audit objective > To ensure that the basic components of an effective rules education program are being undertaken TIP All Athletic Department staff and university staff with athletic responsibilities (e.g., Admissions, Financial Aid) should participate in an annual update on NCAA rules compliance, conducted by the institution s Athletics Compliance office

42 Team travel Overview > A university may provide actual and necessary travel expenses such as transportation, lodging, and meals to a student-athlete for participation in athletics competition, provided the student-athlete is representing the institution and is eligible for collegiate competition Audit objective > To determine whether university provided travel is in compliance with NCAA regulations 37 13

43 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2/26/2018 An introduction to human resources compliance understanding the role of internal audit Presentation contents > Session objectives > Overview of human resources > Human resources audit overview > Employment lifecycle - Hiring and orientation - Benefits - Termination > Additional HR compliance concerns > Resources > Appendix 2 Session objectives > Understand the fundamental concepts and terms involved in supporting (and auditing) human resources. > Highlight the key human resource compliance areas in the employee lifecycle. > Identify the role of internal audit in assessing human resource compliance. 3 1

44 Overview of human resources 4 Overview of human resources > Human resource management (HRM or HR) is the management of an organization's human capital (i.e., employees). > HRM includes: - Attraction of employees (e.g., talent acquisition) - Selection of employees - Training of employees - Assessment of employees - Rewarding of employees - Overseeing organizational leadership and culture - Ensuring compliance with employment and labor laws - Termination of employees (voluntary and involuntary) 5 Overview of human resources U.S. DOL Mission Statement: To foster, promote, and develop the welfare of the wage earners, job seekers, and retirees of the United States; improve working conditions; advance opportunities for profitable employment; and assure work-related benefits and rights. There are a myriad of laws and regulations enforced by the U.S. Department of Labor (DOL) that HR must comply with, including: > Consolidated Omnibus Budget Reconciliation Act (COBRA) > Employee Retirement Income Security Act (ERISA) > Equal Employment Opportunity (EEO) > Family Medical Leave Act (FMLA), > Fair Labor Standards Act (FLSA), > Protected class federal and state laws and regulations (e.g., race, religion, national origin, sex, pregnancy, age, disability) 6 2

45 Human resources audit overview 7 What is a human resources audit? > A human resources audit is a comprehensive review of current human resources policies, procedures, documentation, and systems to identify areas for improvement and enhancement and ensure compliance with changing rules and regulations. > HR audits help protect companies by: - Identifying areas of concern that require immediate attention - Identifying gaps in key HR practice areas - Identifying strengths and needs for improvement in the human resources function 8 Why is a human resources audit necessary? > Many laws affect each stage of the employment lifecycle, making it important for an employer to regularly review their policies and practices to ensure regulatory compliance in order to avoid any potential fines and/or lawsuits. > An employer with regulatory compliance issues with their human resource practices could face: - Fair Labor Standards Act (FLSA): Up to an $1,100 fine for willful or repeated violation of the minimum wage or overtime pay laws Up to $11,000 for each violation of the FLSA s child labor provisions - Occupational Safety and Health Standards (OSHA) Up to $126,000 for each willful or repeated violation - Fines of up to $3,563 per Form I-9 non-compliance 9 3

46 Employee lifecycle 10 Employee lifecycle Hiring and orientation Termination Compensation Performance management Benefits 11 Hiring and orientation 12 4

47 Hiring compliance > There are several federal laws that employers must follow when hiring employees. > EEO Laws prohibit discrimination in hiring decisions based on: - Age - Disability - Genetic information - National origin - Pregnancy - Race/Color - Religion - Sex > Retaliation against a person who complained about, filed a charge of, or participated in an employment discrimination lawsuit or investigation is also illegal. 13 EEO compliance Major federal laws and regulations that regulate EEO are listed below: > Executive Order > Title VII of the Civil Rights Act of 1964 > Title I of the Americans with Disabilities Act (ADA) > The Vietnam Era Veterans' Readjustment Assistance Act of 1974 > Title II of the Genetic Information Nondiscrimination Act of 2008 Please refer to the Appendix for specific details on EEO compliance areas above. 14 EEO compliance (cont.) Job descriptions and postings > What recruitment methods were used to advertise the job opening? - Consider posting to websites, other than the organization s job website, to help meet EEO requirements (e.g., women s organizations, industry forums, and minority organizations). > Do job postings include the appropriate disclaimers? > Did the job description include key job functions? > What is the employer s policy on job referrals? 15 5

48 EEO compliance (cont.) Interviews > Were interview questions vetted prior to the interview? > Was each candidate asked the same questions? > Were rating sheets completed and maintained following each interview? Job Posting Location Examples > One Stop Centers > Veteran s Representatives > Community Based Organizations > Educational Institutions and Departments of Vocational Rehabilitation > Specific Minority Associations (as applicable) > Specific Industry or Departmental Websites 16 Background check compliance > When hiring employees, employers may conduct background checks to gather information on a candidate to make an informed hiring decision. > However, employers do not have unlimited rights to investigate an applicant's background. Employees have a right to privacy in certain areas and if this right is violated, prospective employees can take legal action. - Credit reports: The Fair Credit Reporting Act (FCRA) states that employers must obtain an employee s written consent before seeking an employee s credit report. - Criminal records: An employer s ability to consider an applicant's criminal history varies between states, and employers should consult a lawyer before conducting a background check. HR Tip: Often, background checks are performed for a particular state. HR should consider running a national background check on employees during the hiring process. 17 Verifying employee eligibility > Employers must have a completed I-9 on file for each person on their payroll and must maintain the Form for all terminated employees for three years after the date of hire or one year after employment is terminated, whichever is longer. > Fines for hiring unauthorized employees can range from $539 - $21,563 per employee. > Each mistake or missing item on a form (including typos, missing signatures or dates, and inadequate corrections) can result in a $178 penalty, up to $1,782 for each form, as determined by the U.S. Immigration and Customs Enforcement. - The penalty is determined based on five factors: Size of the business Good faith effort to comply Seriousness of violation Whether the violation involved unauthorized workers History of previous violations > Committing or participating in document fraud can result in penalties of $445 to $8,908 for each worker. 18 6

49 Verifying employee eligibility E-Verify E-Verify is an internet-based system that compares information from an employee s I-9 Form to data from Homeland Security and Social Security Administration records to confirm employment eligibility. Use of E-Verify is voluntary for most organizations, but there may be circumstances that require your institution to use the E-Verify process: > Federal contractors are required to use E-Verify to electronically verify the employment eligibility of employees working under covered federal contracts. - Institutions of higher education that are awarded a federal contract are only required to use E- Verify for new hires and existing non-exempt employees working directly under a covered contract. > State laws may determine the extent of who is required to use E-verify (at least 20 states require all or most employers to use E-Verify). 19 Auditing I-9 forms An audit of an employer s I-9 forms for current and former employees can help determine whether the form completion process meets federal requirements. A sample of I-9 form audit questions is listed below: > How are instructions for completing the form given to the employee (e.g., verbally, written)? > When are the forms completed? > If corrections to the form were required, were they properly made? > Did the employees and the employer representatives completing the I-9 forms do so accurately, completely, and timely? > Is HR s recordkeeping of I-9 forms legally compliant? HR Tip: I-9 documentation should be maintained in a secure location, separate from employee personnel files. 20 Auditing hiring and orientation processes Hiring and orientation audits determine whether the employer is in compliance with hiring statutory requirements. As part of an audit, IA should address the following sample questions to ensure hiring compliance. New hire forms > Has the employer properly completed I-9s and other required forms (e.g., tax forms)? > Has the employee completed and signed the appropriate documents (e.g., policy documents, including Conflict of Interest forms)? > Did the employer effectively review these documents? > Are these employee documents maintained in a secure location by HR? 21 7

50 Benefits 22 Benefits compliance Family and Medical Leave Act (FMLA) > FMLA provides for up to 12 weeks of unpaid leave for specific medical and family situations (e.g., adoption, pregnancy, serious health condition) for either the employee or a member of the employee's immediate family. > In many instances paid leave may be substituted for unpaid FMLA leave. > Some states also offer additional leave programs. 23 Benefits compliance Genetic Information Non-discrimination Act of 2008 > This new legislation, signed into law by President Bush in 2008, prevents employers and health care providers from requesting or requiring genetic information or using it to determine rates. > Genetic information is defined as: - An individual s genetic tests - Genetic tests of the individual s family members - Genetic tests of any fetus of an individual or family member who is a pregnant woman - The manifestation of a disease or disorder in family members or family history - Request for or receipt of genetic services or participation in clinical research that includes genetic services by an individual or family member 24 8

51 New final rule on inducement of GINA > Beginning January 1, 2017, a final ruling on the amount of inducement an employer can give to an employee for providing genetic information comes into effect. Employers may not offer an inducement for an employee who exchanges genetic information but they can offer one to an employee whose spouse exchanges genetic information. - The inducement may be either financial or in-kind (e.g., awards, prizes, and other valuables) > The amount of the inducement is subject to the same limits set in the new final ruling on Title I of the ADA, which also comes into effect January 1 st. 25 Benefits compliance (cont.) Employee Retirement Income Security Act of 1974 (ERISA) > ERISA sets the minimum standards for pension plans in the private industry. > It does not require employers to establish a pension plan, but it does require those who establish plans to meet specific minimum standards. > ERISA does not specify how much money a participant must be paid as a benefit, but does specify: - Requires the employers to provide participants with information on the plan s features and funding. - Sets minimum participation, vesting, and benefit accrual and funding levels. - Gives participants the right to sue for benefits and breaches of fiduciary duty. - Guarantees payment of certain benefits through the Pension Benefit Guaranty Corporation if a plan is terminated. 26 Benefits compliance (cont.) Affordable Care Act (ACA) > ACA dictates that employers provide health insurance to full time employees. Full time employees are defined as those who work on average at least 30 hours per week. > Adjunct professors will be credited with: hours of work for each actual classroom teaching hour (which incorporates approximately 1.25 hours of class preparation and grading for each hour of teaching) - An hour for each additional hour of required service (e.g., mandatory office hours) > Other student employees such as teaching and research assistants may qualify for health insurance. > Work-study students are excluded from the health insurance requirements. > Unpaid interns and paid interns who are considered seasonal employees are exempt from health insurance requirements. 27 9

52 Auditing benefits A benefits audit reviews the employer s benefit packages, ensuring compliance with several DOL regulations, including FMLA and ERISA. A sample of benefit audit questions is listed below: Employee benefits > Are benefits clearly communicated to employees? > Is the annual open enrollment time period clearly communicated? > Are changes to employee benefits clearly communicated and documented? > Do employee medical leave policies comply with FMLA guidelines? > Are benefit obligations properly stated and described? > Were benefit payments made in accordance with plan terms? > Are any benefit transactions prohibited under ERISA? 28 Termination 29 Termination compliance Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA) > When an employee is terminated, some employees and their family have the right to continue group health benefits for a limited period of time if the following requirements are met: - The employee s current health plan is subject to the COBRA law (employers with 20 or more employees on more than 50% of typical business days in the prior year are subject to the COBRA law). - The employee and family members are considered qualified beneficiaries of the current health plan. - A qualifying event (e.g., termination, reduction in hours of employment). > COBRA originally amended ERISA to provide continued health care coverage for employees and their beneficiaries (for a limited period) if events would otherwise result in a reduction in benefits

53 Termination compliance (cont.) > Employees terminated involuntarily may also be eligible to receive unemployment benefits. > Federal-State Unemployment Insurance (UI) program - Administered by DOL s Employment and Training Administration (ETA). - Provides a partial wage replacement for individuals who are unemployed due to a lack of suitable work. 31 Auditing termination processes A terminations audit should focus on the employer s termination process, as well as recent employee terminations. As part of an audit, IA should address the following sample questions to ensure termination compliance: General termination questions > What is HR s termination process (e.g., is an exit interview included)? > How is the decision to terminate the employee made and by whom? > Has HR fully documented each employee termination? > How is the employee notified of the termination decision? > In the case of a voluntary termination, did the employee provide a notice? Termination obligations > How did the employer reimburse the employee for accrued paid time off, bonuses, final salary? > Was the employee offered COBRA? 32 Additional HR compliance concerns 33 11

54 Additional HR compliance concerns In addition to the regulations already mentioned, other concerns may exist for performing HR audits. In addition to how the organization stores and maintains employee records (leading to potential Health Information Portability and Accountability Act [HIPAA] concerns), internal audit should also look at the overall HR processes followed from a business operations standpoint. This would include asking questions such as: > Who has access to employee information? How is information stored? > How are organizational policies communicated? > How often are managers and employees trained? > Are critical decisions and communications documented? > If HR functions are decentralized, how is oversight provided? - Are roles, responsibilities, and accountabilities defined? > How are potential HR concerns addressed? - What is the relationship between HR and General Counsel? 34 Auditing employee information protections One of the most overlooked threats to sensitive employee information are internal employees or contractors with access to sensitive information. Internal Audit can help reduce the risk of sensitive employee information being accessed by working with HR to ensure policies are communicated. A sample of employee information protection audit questions is listed below: Employee information protections > Does the organization have a Chief Information Officer (CIO), Security Officer, or similar role? > Has the CIO developed an enforceable information security governance and strategy program, and is it in place? > Are the information security program and policies regularly communicated to employees? > Does the employer conduct a security awareness training for all employees? > Are Personally Identifiable Information (PII) Reviews conducted? 35 Operational-focused audit steps HR office operations > Perform a spot check of the HR office space to see if employees are complying with information privacy requirements. > Review system access controls for personnel management systems and data. > Determine if there are other possible compliance risks related to employee information. Organizational operations > Interview individuals with departmental level responsibilities for all or part of the employee lifecycle. > Understand what level of employee information is held at the department or unit level, and test relevant controls

55 Resources 37 Resources Department of Labor: Compliance Assistance > Small Business Administration: Performing Pre-Employment Background Checks > U.S. Citizenship and Immigration Services (USCIS) > 38 Any Questions? 13

56 Appendix 40 Compensation 41 Compensation compliance Fair Labor Standards Act (FLSA) > The FLSA establishes minimum wage, overtime pay, recordkeeping, and youth employment standards affecting employees in the private sector and in federal, State, and local governments. > FLSA Minimum Wage: The federal minimum wage was last raised to $7.25 per hour, effective as of July 24, > FLSA Overtime: Covered non-exempt employees must receive overtime pay for hours worked over 40 per week at a minimum rate of 1.5 times the employee s regular pay rate. > In September of 2016, the House of Representatives voted to postpone the implementation of the newest overtime wage ceiling of $47,476 (i.e., those earning under this threshold were to receive overtime pay)

57 Auditing compensation A compensation audit reviews the employer s payroll practices, how employees are classified and paid, and whether the employer is in compliance with various federal regulations. A sample of compensation audit questions is listed below: Compensation Surveys > How is information from total compensation surveys and compensations plans communicated? > Are these surveys and plans easily available to HR personnel? Overtime > Is there a policy in place for overtime relating to approval, unauthorized time? > How is this policy communicated? 43 Auditing compensation (cont.) Dual employment > Is there a policy in place for dual employment? > Is there documentation of approvals and denials? Additional pay > Is there a policy in place for premium and discretionary pay? > What is the approval process? > How and to whom is this policy communicated? > Is this policy applied consistently to all employees? 44 Auditing compensation (cont.) Incentive awards > Is there a formal, written plan outlining the employer s reward program? > Was the plan developed with employee input and communicated to employees? > Is the reward program policy applied consistently? 45 15

58 Performance management 46 Performance management compliance > Merit pay is defined as an increase in pay based on a set of criteria set by the employer. > This usually involves the employer conducting a review and meeting with the employee to discuss the employee's work performance at least annually. > The provision of merit pay is a matter between an employer and an employee. > FLSA does not require or address the issue of merit pay. 47 Auditing the performance management process Performance expectations > Were performance expectations communicated to the employee when they were hired? > How often are performance discussions held with the employee (e.g., twice a year, annually)? > Who participates? Goal setting > Does the employer have a regular goal setting process for employees? > Does the employer provide support to the employee when establishing goals (e.g., a mentor providing input)? Performance review > Is the performance review process clearly documented and understood by all employees? > Is the performance review mandatory and consistently enforced? > Are all performance reviews securely maintained by human resources? 48 16

59 EEO Compliance Areas 49 EEO compliance Executive Order Executive Order applies to any organization contracting with the federal government. It bans discrimination and requires contractors to take affirmative action to ensure that all individuals have an equal opportunity for employment without regard to race, color, religion, sex, national origin, disability or status as a Vietnam era or special disabled veteran. > This requirement is enforced by having an equal opportunity clause included in all nonexempt government contracts. Violation of E.O may result in termination of contracts and debarment from future work with the government. 50 EEO compliance Title VII of the Civil Rights Act of 1964 Title VII of the Civil Rights Act of 1964 (and amendments from the Civil Rights Act of 1991 and the Lily Ledbetter Fair Pay Act of 2009) prohibits organizations from making decisions related to hiring, termination, job responsibilities, or compensation based on an individual s race, color, religion, sex, or national origin. > Applies to employers, employment agencies, labor organizations, and training programs. Potential penalties for violating Title VII may include: > Hiring, reinstating, or promotion of claimant, including back pay. > Civil action by the claimant, resulting in penalties for financial losses, mental anguish, and attorney s fees. > Punitive damages if the employer is found to have acted with malice or reckless indifference

60 EEO compliance Title I of the Americans with Disabilities Act of 1990 Prohibits private employers, state and local governments, employment agencies, and labor unions from discriminating against qualified individuals with disabilities in job application procedures, hiring, firing, advancement, compensation, job training, and other terms, conditions, and privileges of employment. > A qualified employee or applicant with a disability is defined as an individual who, with or without reasonable accommodation, can perform the essential functions of the job in question. Title I is enforced under the same mechanisms as Title VII of the Civil Rights Act of EEO compliance Title I of the Americans with Disabilities Act of 1990 Updates Effective January 1, 2017, a new final ruling clarifying the terminology used with in the bill comes into effect. ADA permitted employers to make inquiries and conduct medical examinations that are part of a voluntary health program. However, they did not define voluntary, what constituted a health program, or if business could offer incentives to employees for these health exams. > Voluntary An employee's participation in a wellness program that includes disability-related inquiries or medical examination must be voluntary. > Reasonably Designed Any employee health program, including disability-related inquiries or medical examinations that are part of such a program, must be reasonably designed to promote health or prevent disease. > Incentives Employers are permitted to offer incentives to employees who answer disability related questions or undergoes medical examinations for a wellness program. EEO compliance Vietnam Era Veterans Readjustment Assistance Act of 1974 The Vietnam Era Veterans Readjustment Assistance Act applies equal opportunity and affirmative action requirements to Vietnam era veterans, special disabled veterans, and veterans who served active duty during a war or in a campaign or expedition for which a campaign badge has been authorized. VEVRAA is enforced under the same mechanisms as Title VII of the Civil Rights Act of

61 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2/26/2018 Auditing financial aid programs Presentation content > Session objectives > Why audit financial aid? > Overview of federal student aid compliance > Common financial aid external audit findings- and how internal audit can help > Resources 2 Session objectives > Introduce the regulations and requirements for federal student aid programs > Understand some common external audit findings for financial aid > Identify key areas, based on risks of non-compliance, for internal audit focus 3 3 1

62 Why audit financial aid? 4 Why are financial aid audits necessary? There continues to be increased federal scrutiny surrounding financial aid. Changes, such as growth of a university s aid portfolio, could lead to an increased risk of noncompliance in the distribution of financial aid. For a university to be successful in achieving affordability for its students, having an efficient financial aid function, which distributes aid in a manner consistent with the university's matriculation and budgetary goals, is a key factor. 5 5 Internal audit s role in auditing financial aid Financial aid programs are often a major source of federal financial support to an institution, so it is important that there be a high focus on compliance within the operation and administration of offices involved in financial aid programs. Institutions participating in Title IV assistance programs are required to complete an annual compliance audit of financial aid administration, which is typically completed as a part of the Single Audit process. However, the breadth of compliance aspects associated with financial aid programs provides great opportunity for Internal Audit to also review related programs or activities

63 Consequences of non-compliance Regulations surrounding financial aid establish the expectation that an institution act as the fiduciary administrator of funds provided. Failure to properly administer or account for such funds could result in: > Fines > Limitation, suspension, or termination or the institution s participation in federallyfunded financial assistance programs > Debarment from participation in future federal programs 7 7 Overview of federal student aid compliance 8 Federal student aid The Department of Education defines financial aid as money provided to help a student pay for education expenses at a college or career school. The Department of Education Federal Student Aid program provides over $150 billion a year in financial aid to over 15 million students in the form of grants, low-interest loans, and work study payments. All students who wish to receive federal financial assistance must complete a FAFSA form, which collects basic personal information about the student and personal financial information about that student and his/her family (if being claimed as a dependent student)

64 Financial aid compliance requirements For an institution to be eligible to participate in programs authorized by the Higher Education Act, including federal student aid, it must meet the established criteria and apply to participate through the Secretary of Education. Federal student aid programs may be operated within institutions of higher education, proprietary (for-profit) institutions of higher education, or postsecondary vocational institutions. To participate in any Title IV program, an institution must meet certain requirements to prove it is capable of adequately administering the aid program: > Administers Title IV programs in accordance with all statutory provisions of or applicable to Title IV of the Higher Education Act; > Designates a capable individual to be responsible for administering all the Title IV programs in which the institution participates and coordinating those programs with the institution s other federal and non-federal programs; > Uses an adequate number of qualified persons to administer Title IV programs in which the institution participates Verification of FAFSA information To ensure that federal assistance funds are being awarded as intended and truly being used to provide aid to individuals in need, institutions are expected to have processes in place to verify information provided on the FAFSAs received. The verification is not intended to function like a forensic audit, but the college financial aid office may not disburse federal student aid until the verification process is complete. Institution s must establish policies and procedures for such verification, which include: > The time period within which an applicant must provide any documentation requested by the institution and the consequences of failing to provide requested information within the specified timeframe; > The method by which the institution notifies an applicant of the results of its verification if, as a result of the verification, the applicant s expected family contribution changes and results in a change in assistance; > The procedures for correcting FAFSA information determined to be erroneous; > The procedures for making referrals to the OIG related to false claims; > Providing a clear explanation of the documentation needed to satisfy the verification requirements and the applicant s responsibilities with respect to the verification of FAFSA information Reporting and disclosure of information An institution must make certain information available to all enrolled or prospective students through publications, mailings, or electronic media, including: > Financial assistance available to students enrolled in the institution > Institutional information > Retention rate as reported to the Integrated Postsecondary Education Data System (IPEDS) > Completion or graduation rate and transfer-out rate > Employment/placement information > Information on graduate/professional enrollment of its graduates Institutions participating in Title IV assistance programs are also required to submit a number of different reports throughout the year to the Department of Education. Source: 34 CFR ,

65 Federal Work-Study (FWS) program While each type of federal assistance program has unique requirements or compliance aspects, FWS awards are often a specific area of audit focus. Particular conditions include: > Unlike loans or grant programs, FWS payments must be earned by students prior to receiving payment (being paid the federal minimum wage, at a minimum, for work performed); > Compensation must be paid at least monthly; > At least 7% of funds provided for FWS must be used toward community service jobs; > The institution is responsible for at least 25% funding of the wages, in most cases, while there are other distinct higher allocations depending on the type of work study job. Source: 34 CFR Common financial aid external audit findingsand how internal audit can help 14 Top 10 financial aid external audit findings The following represent common areas of findings from independent financial aid audits and program reviews completed by the Department of Education: > Repeat finding/failure to take corrective action > National Student Loan Data System (NSLDS) inaccurate/untimely reporting > Return of Title IV (R2T4) calculation errors > Late return of Title IV funds > Verification violations > Pell Grant overpayment/underpayment > Student credit balance deficiencies > Entrance/exit counseling deficiencies > Qualified auditor s opinion cited in audit > G5 expenditures untimely/incorrectly reported

66 Common finding #1: Repeat finding/ failure to take corrective action > Failure to implement a Corrective Action Plan (CAP) > CAP did not remedy the instances of noncompliance > Ineffective CAP used from previous year(s) > Internal controls not sufficient to ensure compliance with regulations Common finding #1: Repeat finding/ failure to take corrective action how internal audit can help > Assist to develop a CAP, including providing input on appropriate preventive and detective internal controls to address the finding(s) > Develop an implementation schedule and assign staff to monitor progress on the CAP > Perform quality assurance checks to ensure new policies and procedures are strictly followed > Periodically review results of CAP - Is it working? - Are changes needed to improve process? Common finding #2: NSLDS inaccurate/untimely reporting > Roster file not submitted timely > Untimely submission of specific student information > Failure to provide notification of last date of attendance/changes in student enrollment status > Failure to report accurate enrollment types and effective dates

67 Common finding #2: NSLDS inaccurate/untimely reporting how internal audit can help > Assist to develop appropriate internal controls to maintain accurate enrollment records > Assist to update processes to utilize available systems controls (e.g., automate enrollment reporting to ensure timeliness) > Designate responsibility for monitoring reporting deadlines and changes published by NSLDS Common findings #3: R2T4 calculation errors > Incorrect number of days used in term/payment period > Actual clock-hours used instead of scheduled hours > Incorrect aid used as could have been disbursed > Improper treatment of grant overpayments > Incorrect withdrawal date > Mathematical and/or rounding errors Common finding #3: R2T4 calculation errors how internal audit can help > Pay attention to new regulations and assist to revise policies and procedures as needed > Perform an objective self-assessment by reviewing a random sample of student files

68 Resources 22 Audit resources Higher Education Compliance Alliance Information for Financial Aid Professionals (Dept. of Education) National Association for College Admission Counseling National Association of Student Financial Aid Administrators U.S. Department of Education, Office of Federal Student Aid 23 Any questions? 8

69 Additional key compliance areas in higher education Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Presentation content While we won t have to time to talk in detail about every compliance risk facing your institutions, we want to provide a brief overview of some additional key areas to consider: > Advancement and gift management > Investment office operations > Institutional data reporting > Environmental health and safety > Global and international compliance 2 Session objectives > Gain a summary level understanding of additional key compliance areas > Recognize the relevant regulations governing specific compliance areas > Understand how internal audit can assist in monitoring these compliance areas 3 1

70 Advancement and gift management 4 Advancement and gift management As the pressures for college affordability increase, capital campaigns and fundraising activities have become more ambitious. Key compliance considerations include: Compliance with your institution s policies and procedures Policies and procedures typically need to consider: > The types of gifts the institution will and will not accept > Designated reviews to assess whether a gift meets the institutional mission and the institution is able to fulfill the donor s requirements > Spending rules are consistent with Uniform Prudent Management of Institutional Funds Act (UPMIFA), if applicable to your state 5 Advancement and gift management Compliance with donor expectations and the gift agreement > Acknowledgments to donors for different levels and types of gifts (thank you letters, annual reports, receipts per IRS requirements of any gift greater than $250) > Ensuring that gifts are being allocated appropriately towards their designated use per the established gift agreement - Coordinate with legal counsel to determine an appropriate use for cy pres gifts (i.e., gifts for which the original intended purposes no longer apply) Compliance with federal, state, and local regulations > Verify that gifts are appropriately recorded and reported per accounting standards, including FASB 116 & 117, and ASC 820 > Comply with key regulations applicable to institutions receiving federal financial assistance, including Title IV, Title VI, and Title IX of the Civil Rights Act of Race, color, gender, sex, or national origin should not be a stipulation in a gift agreement 6 2

71 Advancement and gift management how internal audit can help > Evaluate current processes and controls against leading practices to provide management with targeted recommendations for improvement > Evaluate current processes and controls in place to ensure the use of funds and gifts are in compliance with donor intent > Advise and coach stakeholders on key considerations related to the accumulation of funds and potential alternative uses 7 Investment office operations 8 Investment office operations In addition to Advancement compliance, it is also important to understand compliance considerations for how donated gifts are being invested. Institutions may have an in-house or outsourced investment office and the following compliance considerations should be understood and assessed: 9 3

72 Investment office operations Key regulations related to investment compliance include: > Uniform Prudent Management of Institutional Funds Act (UPMIFA) - Governs the spending policies and protects the interests of donors who want to see their contributions used wisely > Statement of Financial Accounting Standards No. 157 (ASC 820) - Provides measurements for applying fair value to interests in alternative investments. This Financial Accounting Standards Board (FASB) Codification has been updated to Accounting Standards Codification (ASC) 820 > Internal Revenue Service (IRS) Unrelated Business Taxable Income (UBIT) reporting requirements - Could arise from alternative investment activities unrelated to the tax-exempt organizations (i.e. college or university s) business purpose 10 Investment office operations key policy considerations 1 Does your institution have an investment policy statement? Is the investment policy consistent with the Uniform Prudent Management of Institutional Funds Act (UPMIFA), if applicable, and state law? 2 Is there a board committee responsible for investments? How often does it 3 meet? How is investment performance currently monitored? What investment performance benchmarks are used? 4 5 Have the cost of investment managers been evaluated? 11 Investment office operations key policy considerations 6 Are the investments subject to any unusual regulations or tax implications? Was a policy adopted regarding investments in companies that may conflict with the organization s mission? Has the organization transferred cash and investments to any related 8 organizations? Who manages the portfolio and are any unique skills required of the portfolio manager? 7 9 4

73 Investment office operations how internal audit can help > Evaluate current processes and controls against leading practices to provide management with targeted recommendations for improvement > Evaluate current processes and controls in place to ensure the back office, middle office, and front office operations are in compliance with the investment policy statement > Advise and coach stakeholders on key considerations related to the allocation of funds and the impact of the portfolio strategy on the university 13 Institutional data reporting 14 Institutional data reporting (IDR) IDR is a process by which financial, student, faculty, or other information is distributed to an institution s decision makers and external parties > Some institutional data reporting is required by government agencies or is required for accreditation purposes > Institutional data reporting involves almost all parts of a higher education institution > The institutional data reporting process can be centralized or decentralized Who receives institutional data? Associations Bond Ratings Agencies Department of Education College Guides and Rankings Institutions 15 5

74 Institutional data reporting Noncompliant or inaccurate data reporting to any of these agencies can result in negative impacts to bond ratings, loss of government funding, or reputational damage, and can result from: > Data recorded incorrectly at time of entry > Non-compliance with definitions of reporting agencies, associations, etc. > Ambiguity in definitions that are not clearly understood by leadership > Lack of verification of data or quality assurance processes 16 Institutional data reporting how internal audit can help > Evaluate current processes against industry leading practices > Assess the proactive communication and strategic collaboration between the Office of IDR and its customers > Advise and coach stakeholders on key considerations related to: - Timeliness and accuracy of critical internal and external data reporting - Availability, security, and oversight of key data - Process for requesting, compiling, vetting, and providing data reports 17 Environmental health and safety 18 6

75 Environmental health and safety Colleges and universities are like small cities, and perform many of the same functions, from operating research laboratories and power plants, to disposing of trash and waste, and supplying drinking water. As a result, colleges and universities are subject to a long list of environmental laws, regulating disposal of chemicals and waste, abatement of asbestos, monitoring of emissions, use of pesticides, and countless other activities. Key regulations related to environmental health compliance include: > Bloodborne Pathogens Toxic and Hazardous Substances No (OSHA) - This section applies to all occupational exposure to blood or other potentially infectious materials > Resource Conservation and Recovery Act of 1976 (42 U.S.C. 6901) - Regulates the generation, transportation, storage, and disposal of hazardous waste > Hazardous and Solid Waste Amendments of 1984 (42 U.S.C. 6924) - Underground storage tanks (USTs) and land-based disposal of hazardous substances are regulated under this law > Clean Water Act (33 U.S.C. 1251) - Prohibits the discharge of pollutants into navigable waters and also regulates discharge into storm sewers. Also regulates wetlands. Government contractors must certify in compliance 19 Environmental health and safety Framework for successful environmental health and safety departments: 20 Environmental health and safety Framework for successful environmental health and safety departments: 21 7

76 Environmental health and safety how internal audit can help > Evaluate risk mitigation plans to determine if adequate activities are in place to effectively mitigate and monitor the identified risks > Review hazardous substance and environmental disposal activities for compliance with institutional policies and external regulations > Identify any gaps or areas of concern as it relates to the existence, adequacy, and implementation of risks mitigation plans for Lab Safety and Environmental Hazards risks 22 Global and international compliance 23 Global and international compliance Global activities can greatly increase the scope of relevant laws and regulations that impact your institution, including: > Foreign Corrupt Practices Act > Export controls regulations > Local/ in-country laws - Regulations for establishing foreign operations (e.g., the ability to operation as a not-for-profit entity in another country such as India requires application and significant scrutiny) - Local hiring/labor/human resources laws (e.g., some countries require you to pay employees a housing allowance as part of their salary) - Local banking requirements (e.g., can you freely open and utilize bank accounts?) - Real estate taxes and ownership laws (e.g., can you own land as a foreign entity?) 24 8

77 Global and international compliance how internal audit can help > Facilitate the compilation of a comprehensive University-wide inventory of global activities > Participate in (or establish) your institution s global activities forum or working group > Conduct a risk assessment of identified global activities to identify high risk programs for management monitoring > Assist to develop policies, procedures and internal controls (including the expansion of systems) at foreign campuses or locations; for example - Implement a robust approval process at a foreign location with limited employees - Design appropriate controls over cash advances and expense reimbursements in cash-oriented locations 25 Global and international compliance how internal audit can help > Provide assurance by testing the operational effectiveness of controls, focusing on high risk programs > Serve as a liaison between program personnel and external counsel (e.g., during organizational setup, consultation on labor laws, etc.) > Perform a review of the adequacy of student health and safety protocols and documentation > Perform an audit of sampled transactions to assess for risk of FCPA violation 26 Any questions? 27 9

78 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2/26/2018 Auditing sponsored research compliance Presentation contents > Session objectives > Sponsored projects overview > Applicable regulations when charging research costs > Institutional monitoring responsibilities > Common cost charging challenges > Cost allowability audit exercise > Cost allowability audit tips 2 Session objectives > Provide an overview of the sponsored projects lifecycle and compliance considerations > Understand the risks, concerns, and consequences for non-compliance > Outline key cost charging considerations and identify activities that IA can perform to assess cost allowability 3 1

79 Sponsored projects overview 4 Sponsored projects lifecycle Finding funding Proposal & budget development Closeout & audit Post-award administration Routing & approval process Submission & review Award set-up Award review & acceptance 5 Offices/functions involved in managing sponsored projects The organizational structure for sponsored projects support will vary by institution. The following is a general overview of common offices involved in the administration of sponsored projects awards: > Pre-award office that assists researchers in identifying funding, preparing proposals (specifically budgets), submitting to the sponsor, and negotiating terms and conditions for awards received > Post-award responsible for collecting and managing cost and budget data related to active awards, including providing information to assist in award management/oversight and preparing financial reports for sponsors > Departments house the researchers conducting the work, and typically provide administrative staff to assist in the review and oversight of costs charged to awards > Other offices that are likely included in research administration: - Office of General Counsel - Provost - Controller/ central - Compliance/ audit accounting - Information technology 6 2

80 Overview of sponsored projects compliance As you know, research involves more than test tubes and experiments, all of which have unique compliance issues to deal with: > Budgeting > Staffing > Sponsor relations > Purchasing > Financial tracking and monitoring > Reporting.Oh yeah, and conducting the actual research. 7 Why is compliance important? > In an age of increased government scrutiny and limited appropriations, stewarding federal funds creates expanded risk for an institution, and could create many frontpage situations - Fines - Suspension and debarment - Reputational damage > Sponsoring agencies routinely conduct program audits which result in disallowed costs or fines for institutions with weak internal controls or program oversight > Of course, we all want to do the right thing! 8 Compliance concerns There are many processes around financial compliance on sponsored awards. We will highlight a few that are often subject to sponsor scrutiny: > Appropriateness of cost charging > Direct-charging costs that are typically F&A costs > Subaward selection and monitoring > Meaningful oversight and review of financial and programmatic status > Cost transfers > Documenting committed cost sharing > Reporting program income > Salary 9 3

81 Applicable regulations when charging research costs 10 Applicable regulations what are the rules to know for research? > Federal regulations - Uniform Guidance - Federal Acquisition Regulation (FAR) - Cost Accounting Standards (CAS) - All other applicable laws and acts of Congress > Sponsor/agency regulations - NIH, NSF, Department of Defense (DoD), Department of Education (Ed) > Award terms and conditions > State and local laws > University policies 11 Regulatory order of precedence Federal Law Office of Management & Budget Regulations, Standards & Principles Sponsoring Agency Requirements University Policy Grant Agreement Terms & Conditions 12 4

82 Types of costs Research awards have two main categories of costs that are incurred: > be allocated to the awards they Direct costs: any costs that are incurred specifically related to the objectives of the award, and which cannot be attributed to any other award, project, or activity > Indirect costs (Facilities and Administrative (F&A) costs): costs that are incurred in the normal course of business and support more than just one individual award, but cannot easily support (e.g., general office supplies, computers, association dues, subscriptions, administrative effort, etc.) Each direct and indirect cost can further be classified as allowable or unallowable; only allowable expenses can be reimbursed on a federal award. 13 What can be charged? Per the OMB Uniform Administrative Requirements, Cost principles, and Audit Requirements for Federal Awards (Uniform Guidance), costs charged to federal awards must be: > Allowable (i.e., not expressly prohibited by the cost principles) > Supportable (documented, with clear business purpose) > Within the approved budget and scope (justifiable) > Aligned with institutional policies and procedures > Able to pass the AARC test (see next page) - This is not a specific test listed in the regulations, but a helpful pneumonic to remember all the cost requirements 14 The AARC test An important test for costs charged to federally-sponsored awards is to determine if the cost is: > Allowable: Is this cost prohibited for any reason, either by sponsor requirements or federal regulations? > Allocable: Can this cost (or a portion of the cost) be supportably charged to this award? > Reasonable: Will a prudent person make the same decision on the purchase in similar circumstances? > Consistently treated: Does your institution follow consistent practices in charging that type of cost? 15 5

83 Allowable costs The Uniform Guidance details which costs may and may not be charged to federallysponsored awards (allowable and unallowable costs). BUT, there are exceptions with every type of cost 16 Applying your indirect rate Unlike direct costs, which are charged based on the actual cost incurred, institutions also charge costs for overhead and administrative services on awards > Charged based on the negotiated F&A rate for your institution > Applied to Modified Total Direct Costs (MTDC) > Able to pass the AARC test (see next page) - This is not a specific test listed in the regulations, but a helpful pneumonic to remember all the cost requirements > Institutions may have different rates depending on where the work is performed (e.g., on or off campus) 17 Impact of Uniform Guidance on F&A rates With the Uniform Guidance, certain key changes were made that affect the application and acceptance of F&A costs: > All federal agencies are required to accept an institution s negotiated rate, unless restricted by law or statute - If issuing subawards, a pass-through entity must honor the negotiated rate of the subrecipient > Institutions (including subrecipients) without a negotiated rate can elect to receive a de minimis rate of 10% > Institutions can elect a one-time extension of their current negotiated rate for up to four years 18 6

84 Responsibilities of the institution for monitoring sponsored projects 19 Responsibilities for award management > By accepting a federal award, an institution is obligating itself to serve as a responsible steward for the funding received. The institution must ensure funds are used for their intended purpose and within the regulations set forth by the government and specific sponsors > While the institution is legally responsible for funds received, the PI is ultimately responsible for financial and programmatic performance of a sponsored award, and may face personal penalties for non-compliance 20 Supporting costs charged To assist in substantiating costs charged to an award, an institution should maintain supporting documentation. This documentation may include purchase orders, invoices, receipts, s from sponsors, institutional base salary letters, evidence of prior approval for certain costs and should demonstrate the: > Reason for selecting a vendor (especially if sole-sourced) 1 > Total amount of the charge > Meaningful justification for the charge (business purpose) > Appropriate levels of review and/or approval 1 Justification for vendor selection is typically not required for commercial items, though you must always follow any additional institutional policy related to purchasing. 21 7

85 Oversight and review The Uniform Guidance states: The non-federal entity is responsible for oversight of the operations of the Federal award supported activities. The non-federal entity must monitor its activities under Federal awards to assure compliance with applicable Federal requirements and performance expectations are being achieved. Institutions are also typically required to submit financial and technical performance reports on a regular basis. 22 Oversight and review (cont d) The UG requires institutions to maintain a financial management system capable of providing accurate, current, and complete disclosure of the financial results of each Federally-sponsored project or program. > This information is necessary to accurately complete regular project performance reports required by sponsors (frequency varies), as well as for any program financial and close-out reporting requirements > Accounting systems must also be capable of attributing each cost to the program supported, segregating unallowable costs, and providing records of cost sharing 23 Oversight and review (cont d) The UG also has a section specifically focused on internal controls ( ), requiring that: > Institutions must establish and maintain effective internal controls over federal awards that provide reasonable assurance that the entity is managing the award in compliance with federal statutes, regulations, and the terms and conditions of the federal award > Internal controls should be in compliance with the internal control requirements issued by GAO in Standards for Internal Control in the Federal Government and by COSO in the Internal Control Integrated Framework 24 8

86 Oversight and review (cont d) Institutions should have processes in place to foster the routine review of costs charged to an award. Reviews should be conducted by employees with an understanding of both the financial and programmatic aspects of the award. These reviews should include (at least): > Appropriateness of costs charged > Burn-rate and project progress Best practice is to have reviews completed monthly by the PI (with assistance of departmental administrators as necessary), and should be completed no less than quarterly. Reviews should be documented and maintained with other award records. 25 Oversight and review (cont d) Some common additional checks include: > Charges for unrelated work > Split purchases > High volume of purchases at the end of a budget year or award period > Multiple charges from the same vendor 26 Common cost charging challenges and causes of noncompliance 27 9

87 Common cost charging findings/ challenges General: - Unallowable or unallocable costs charged - Inadequate recordkeeping and/or missing documentation to support costs charged - Misuse of procurement cards - Insufficient justification to support cost allocability or need - Lack of processes and controls related to financial oversight - Improper authorization or review of costs Direct cost charging: - Regular review of costs for unallowable costs not conducted - Unallowable costs not separately recorded - Lack of documentation for expenditures - Inaccurate reporting - Lack of business purpose or nature of expense - Ambiguous institutional policies - F&A-type costs charged directly to projects - Unsupported salary F&A cost charging: - Failure to exclude unallowable costs from rate calculation - Application of F&A to costs excluded from MTDC - Inaccurate calculation driving F&A cost allocation - Incorrect rate applied Cost sharing: - Lack of system to identify, monitor, and report cost sharing - Inadequate documentation for costs - Inappropriate source of funds covering shared costs Cost transfers: - Lack of documentation to substantiate cost transfers - Frequent or tardy cost transfers - Did not follow institutional policy 28 Common causes of noncompliance effort reporting > Faculty and staff may not understand the importance of accurate and timely effort reporting > Faculty and staff may sign effort certifications without understanding the assurance provided by their signature > Faculty may not have the knowledge to certify effort for their staff and students > Faculty and staff may not be properly trained to review and certify effort > Effort certification forms can be complex and may not be intuitive to faculty and staff 29 Common causes of noncompliance effort reporting audit approaches > Perform a horizontal audit of the design of the effort reporting process > Select a sample of effort certifications to review including interviews of faculty and staff to verify accuracy and ascertain understanding of the process > Review high risk faculty including those with: - Greater than 90% sponsored effort - Projects with less 5% effort - Significant variances between budgeted/committed and actual effort > Utilize data analytics to target departments with: - Significant outstanding or late effort certifications - Significant payroll reallocations - No or very few payroll reallocations 30 10

88 Common causes of noncompliance information systems > Faculty and administrators may not understand how to properly use systems due to system complexities and/or insufficient training - E.g., reporting systems are often not intuitive making it difficult to compare budgeted to actual costs real time > System roles and access may not be properly aligned with functional responsibilities - E.g., individuals with insufficient knowledge may be asked to review expenses, payroll decisions, effort, or sponsor reports > Faculty and administrators may assume there are system controls in place that are not, and therefore not perform adequate review - E.g., faculty may assume that all purchases are reviewed by Accounts Payable for allocability to the award 31 Common causes of noncompliance information systems audit approaches > Interview faculty and staff about their system access and knowledge > Review system roles and responsibilities compared to stated job duties and descriptions > Document and test automated internal controls and compare to the understanding of these controls of faculty and administrators > Incorporate review of workflow, electronic approvals, and electronic forms into all audits 32 Common causes of noncompliance insufficient/ disorganized documentation > Unclear document retention practices can lead to inconsistency in identifying and producing support > Missing receipts or invoices would typically translate to questioned costs by an external or Office of Inspector General (OIG) auditor > It can be difficult to prove allocability of costs without a real time business justification (especially in the case of shared costs) > Searching through disorganized documentation wastes administrator time and can lead to decreased confidence from external and OIG auditors 33 11

89 Common causes of noncompliance insufficient/ disorganized documentation audit approaches > Perform a mock OIG audit focused on cost allowability - Test a sample of costs to verify if they are allowable, allocable, reasonable, and consistently treated - Specifically test each sample for adequacy of support per OIG requirements (i.e., without full support the cost is questioned) > Assess the timeliness and organization of support to provide feedback to the department (e.g., for what percentage of samples did the department provide support within 14 days) > Document the stated and actual location of different aspects of supporting documentation (e.g., what documents are electronic, what is owned centrally, etc.) 34 Cost allowability audit exercise 35 Cost allowability audit exercise Scenario: A research institution is facing a change in research leadership. The new Vice President for Research is requesting an objective cost allowability review for a selection of awards to understand where the institution stands regarding financial compliance on its awards. Objectives: > Assess cost allowability compliance on multiple awards managed by different Principal Investigators > Gain an understanding of processes and internal controls to understand where gaps may exist that can lead to questioned costs 36 12

90 Cost allowability audit exercise (cont d) Exercise: > Break into groups > Identify key risks > Brainstorm potential sampling approaches 37 Cost allowability audit exercise (cont d) Key risks: > Unallowable or unallocable costs > Missing supporting documentation > Improper authorizations/approvals > Unsupported salary - Incomplete effort reports - Unapproved effort reports - Differences between effort and salary charged > Untimely cost transfers Sampling approaches: > Judgmental sampling > Statistical sampling > Data analytics 38 Cost allowability audit exercise (cont d) Exercise: > Break into groups > Brainstorm possible audit activities to address the key risks 39 13

91 Cost allowability audit exercise (cont d) Potential audit activities: > Obtain supporting documentation to determine the nature of the expense > Identify whether the cost was charged to the correct expense class and fiscal year > Assess whether the cost appears to be charged consistently compared to similar costs > Determine if the cost is allowable per Federal Regulations, allocable to the project as charged (based on review of award documentation), and reasonable > Examine effort reports for proper approval > Compare effort report percentages to the percentage of salary charged to the award 40 Cost allowability audit tips 41 Cost allowability audit tips > Focus your reviews more broadly than just individual grant or department operations. Work with the offices responsible for research administration to understand the policies and procedures that govern research > Pay attention to the nuances of sponsored research, and learn to speak the language. PIs love to talk about their research, but often don t have a complete grasp on the regulatory/administrative aspects - Internal audit can help serve as a teacher 42 14

92 Cost allowability audit tips (cont d) > Sponsoring agencies (e.g., NSF, NIH, DOE), as government entities, must also report on their activities on an annual basis. These reports are all available online and may include: - Annual reports - Strategic plans - Management and performance challenges - Annual audit work plans > Agencies publish audit reports and findings online, which serve as a good resource to ascertain what the Inspectors General s (IGs) focus areas are and the methodologies they use in performing audits 43 Cost allowability audit tips (cont d) > Understanding the sponsoring agency s administrative guide or policy statement can be useful in creating an audit plan NIH Grants Policy Statement: NSF Award and Administration Guide: > Lastly, remember that even if your institution s policies are more stringent than the sponsoring agency s, most IGs will cite non-compliance with institutional policies as a finding! 44 Cost allowability audit tips voluntary disclosures > If problems or concerns are discovered, IA should work with management and the process owners to determine if sponsor notification is necessary - For some issues, institutions can resolve internally (e.g., transferring costs to appropriate cost centers) - However, if the results of an audit or review are the type that require sponsor notification (or would result in a negative audit finding by the OIG), it is best for the institution to be proactive in disclosing these issues to the sponsor - Showing how the issue has already been resolved and changes to controls as a result (to prevent future concerns) should have more favorable results - If potential misuse of funds is suspected, work with the vice president for research or provost to involve general counsel 45 15

93 Thank you! 16

94 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2/26/2018 Auditing sponsored research compliance: selected compliance risk areas Presentation contents > Session objectives > Subrecipient monitoring > Conflicts of interest > Export controls > Research misconduct and responsible conduct of research training > Federal data protection 2 Session objectives > Become familiar with several challenging areas for research compliance > Learn about governing rules and regulations specific to each area > Identify issues to look for in each area and tips for auditing 3 1

95 Subrecipient monitoring 4 Subrecipient monitoring definition When an institution contracts out a portion of the work on a research award to another organization, the prime awardee has responsibilities to correctly categorize the nature of the relationship as either a subrecipient or vendor and ensure that the selected organization is capable of performing the work and administering federal funds. The Uniform Guidance has added increased specificity to help institutions make the subrecipient or contractor determination, but also formalizes requirements for risk assessments prior to entering into agreements. 5 Subrecipient monitoring subrecipient determinations The process to determine if a pass-through relationship should be classified as a subrecipient or a contractor (vendor) can be complicated. The UG provides additional guidance to make the determination: Subrecipient 1. Determines who is eligible to receive what Federal assistance; 2. Has performance measured in relation to whether objectives of Federal program were met; 3. Has responsibility for programmatic decision making; 4. Is responsible for adherence to applicable Federal program requirements specified in the award; and 5. Uses Federal funds to carry out a program for a public purpose, as opposed to providing goods or services for the benefit of the pass-through entity. Contractor 1. Provides the goods and services within normal business operations; 2. Provides similar goods or services to many different purchasers; 3. Normally operates in a competitive environment; 4. Provides goods or services that are ancillary to the operation of the Federal program; and 5. Is not subject to compliance requirements of the Federal program as a result of the agreement. 6 2

96 Subrecipient monitoring initial risk assessment Before entering into pass-through agreements, prime awardees must evaluate each subrecipients risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining appropriate subrecipient monitoring. This may include consideration of: > Prior experience with same or similar subawards; > Results of previous audits (including A-133, now referred to as the Single Audit), and the extent to which the same or similar subaward has been audited as a major program; > Whether the subrecipient has new personnel or new or substantially changed systems; and > The extent and results of federal awarding agency monitoring. 7 Subrecipient monitoring ongoing monitoring During the performance of a subaward, the prime institution must monitor the activities as necessary to ensure that the subaward is used for authorized purposes and in compliance with applicable terms and conditions. This includes: > Reviewing financial and performance reports required by the pass-through entity; > Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award detected through audits, on-site reviews, and other means; and > Issuing a management decision for audit findings pertaining to the federal award. Depending on the risk of the subrecipient, the prime awardee may also implement additional oversight controls. 8 Subrecipient monitoring recommended monitoring practices PIs are responsible for the activities, both financial and programmatic, of subawardees, and should actively manage the subaward relationship. Costs charged and invoiced by subawardees should receive at least as much scrutiny as those charged through the institution. To best manage these relationships, an institution should: > Establish a frequent communication protocol during subawardee performance > Require approval of subawardee invoices by the PI or other key personnel > Regularly (at least quarterly) review the subawardee s technical progress and financial expenditures 9 3

97 Subrecipient monitoring audit focus areas Internal audits or reviews of subrecipient monitoring practices should consider: > Procedures or tools for making subrecipient versus vendor determination; > Design and effectiveness of initial risk assessment; > Communication of identified risk level and implementation of additional controls, as needed; > Ongoing communication and oversight of subrecipient technical and financial performance; and > Ongoing receipt and review of subrecipient s audit information or other actions related to its ability to administer federal funding. 10 Subrecipient monitoring audit exercise 11 Subrecipient monitoring audit exercise Objectives: Evaluate the effectiveness of subrecipient monitoring internal controls in managing: Scenario: A research institution that regularly issues subawards to subrecipients recently updated its subrecipient monitoring policy. The Vice President for Research is requesting an objective review to assess whether the institution is in compliance with their subrecipient monitoring policy and federal regulations. > > > Data integrity Efficient use of resources Safeguarding assets > Compliance with policies, laws, and regulations 12 4

98 Subrecipient monitoring audit exercise (cont d) Exercise: > Break into groups > Identify key risks 13 Subrecipient monitoring audit exercise (cont d) Potential key risks: > Inaccurately categorizing a subrecipient as a vendor or vice-versa > Risk assessment is not performed > Risk assessment does not identify that the subrecipient is not viable (suspended, debarred, not financially viable, conflict of interest) > Invoices are not processed timely > Follow-up does not occur on audit findings > Insufficient financial and programmatic subrecipient oversight 14 Subrecipient monitoring audit exercise (cont d) Exercise: > Break into groups > Brainstorm possible audit activities to address the key risks 15 5

99 Subrecipient monitoring audit exercise (cont d) Potential audit activities: > Review whether the subrecipient is included in award documentation > Verify whether a subagreement exists and proper approvals were obtained > Review the results of the risk assessment > Test a sample of subrecipient invoices for: - Appropriate approvals - Timeliness of the invoice - Appropriate level of detail and support - Reasonableness and allowability of subrecipient costs 16 Subrecipient monitoring resources Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards National Institutes of Health National Science Foundation Federal Demonstration Partnership NCURA - Subrecipient Monitoring Begins in Pre-Award NCURA - Excellent Documentation for Subrecipient Monitoring: You re closer than you think 17 Conflicts of interest Conflicts of interest 18 6

100 Conflicts of interest definition > A conflict of interest (COI) is a situation in which financial or other personal considerations have the potential to compromise or bias professional judgment and objectivity > COI may be real or perceived; a conflict of interest implies only the potential for bias, not a likelihood > Though largely thought of in a financial context, COIs may also be related to relationships, previous experience, outside activities, etc. > COIs may be on an individual or institutional basis, or within a specific internal operation or department 19 Conflicts of interest regulations > "Significant financial interest" is broadly defined as anything of monetary value that could include salary or payment for services from an outside institution, any equity (stock) interests, and any intellectual-property rights > It does not include salary, royalties, or other remuneration from the investigator's home institution; income from seminars, lectures, or teaching sponsored by public or nonprofit entities; or income from service on advisory committees or review panels for public or nonprofit entities 20 Conflicts of interest Public Health Service requirements The Department of Health and Human Services regulations governing COI disclosure and reporting for individuals paid from Public Health Service (PHS) awards require: > Disclosure limit for a Significant Financial Interest is lowered from $10,000 to $5,000 this also includes reimbursed or sponsored travel costs > The time period to be considered is the preceding 12 months > Identified COIs on PHS awards must be disclosed to the awarding agency > Institutions must publish their COI policy on a publicly available website > Institutions must provide details about identified COIs for senior/key personnel > All investigators on PHS awards must attend a COI training, which must be refreshed every four years (or anytime there is a policy change) > Institutions are now also responsible for COI procedures of subrecipients 21 7

101 Conflicts of interest managing conflicts for individuals > Disclose the investigator's financial interests to any human subjects involved > Include the investigator's financial relations to the sponsor in all written and oral presentations, publications, and abstracts > Modify the research plan, including changing the site(s) of the trial > Monitor research by independent reviewers - Special oversight and approval of any consulting agreement language is required when faculty consult with companies in which they also hold equity interests. Clinical study oversight could include participant recruitment and enrollment, the informed consent process, analysis of study data, or subsequent reporting to the sponsor > Divestiture of significant financial interests > Severance of relationships that create actual or potential conflicts > Disqualification of the researcher from part or all of the research project 22 Conflicts of interest managing conflicts for the institution > Encourage transparency via disclosure of conflicts of interest among trustees and former trustees as well as university officials who often have close connections with boards of companies doing business with the institution > Place limits on involvement of faculty members and other institutional officials in companies > Exercise caution when technology-transfer official's remuneration is tied to stock values, as personal biases can influence judgments regarding stock sales or the acceptance of sponsored research agreements > Manage and review conflicts of interest using independent sources and external reviewers (including Internal Audit) > Build organizational firewalls so that potentially conflicted parties do not interact > Anticipate situations that could be perceived as compromising research and fiduciary integrity 23 Conflicts of interest audit focus areas > Assess the institution s COI policy - Who has to submit COI information? - How frequently is information collected? - How is information collected and stored (e.g., electronic or paper process)? - Who owns the COI process? - What is done when conflicts are identified? > Review a sample of faculty COI disclosures against research performed or the faculty s annual self-evaluation > Review any conflict management plans against actual procedures and practices > If concerns exist, obtain additional supporting documentation (such as faculty performance reviews or copies of faculty s tax information) 24 8

102 Conflicts of interest resources Office of Research Integrity Responsibility of Applicants in Promoting Objectivity in Research National Institutes of Health NIH Checklist for Policy Development National Science Foundation 25 Export controls Export controls 26 Export controls definition Export control regulations are sanction mechanisms intended to advance United States trade interests and foreign policy initiatives, and to protect and promote our national security > Export controls are governed by three federally-managed lists: - International Traffic in Arms Regulations (ITAR); Department of State - Export Administration Regulations (EAR); Department of Commerce - Office of Foreign Assets Control (OFAC); Department of the Treasury > Regulations apply to goods, technology, and related information > Institutions must be aware of deemed exports (transfer of items within a lab to foreign nationals) 27 9

103 Export controls EAR regulations > Covers dual use items found on the Commerce Control List (CCL), which includes goods, equipment, materials, and software and technology > Regulates items designed for commercial purposes which also have military applications (computers, pathogens, civilian aircraft, etc.) 28 Export controls ITAR regulations > Covers military items found on the United States Munitions List (USML) > Includes most space related technologies because of application to missile technology > Includes technical data related to defense articles and services > Policy of denial for exports to certain countries (see 22 CFR for up-to-date list) 29 Export controls OFAC regulations > Economic sanctions focus on end-user or country and may limit transfer of technologies and assistance to OFAC s list of sanctioned countries > OFAC has a Specially Designated Nationals and Blocked Persons List > Prohibits payments or providing value to nationals of sanctioned countries and certain entities or could require a license 30 10

104 Export controls exemptions Fundamental research exemption > Because the nature of research is to promote and foster the development and sharing of ideas, the government created the Fundamental Research Exemption for research related activities > Basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community, is protected through this exemption, as opposed to proprietary research for industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary or national security reasons 31 Export controls exemptions (cont.) University based research is not considered fundamental research if: > A university accepts restrictions on the publication of the results of the project > If the PI has made a side deal > The agreement requires sponsor approval prior to publication > The government contract involves an ITAR project with access and dissemination of information controls > There is a transfer of defense services 32 Export controls exemptions (cont.) Public domain exemption > Includes information that is published and generally available to the public: - Through sales at bookstands and stores - Through subscriptions available without restrictions - At libraries open or available to the public - Through patents - Through unlimited distribution at a conference, meeting seminar, trade show, generally accessible to the public in the U.S. - Includes technology and software that are educational and released by instruction in catalog courses and associated labs and universities 33 11

105 Export controls exemptions (cont.) Artistic or non-technical publications exemption > Maps, children s books, sheet music, calendars, film, etc. Bona fide employee exemption (ITAR) > Foreign persons who are full-time regular employees of US institutions of higher education with permanent abodes in the U.S. throughout employment - Applies to unclassified technical data directly related to defense articles > Does not apply to foreign nationals from prohibited countries (22 CFR 126.1). > Does not apply to foreign graduate students > Must be informed in writing and agree not to transfer technology to another foreign national without a license 34 Export controls licensing Unless the Fundamental Research Exemption applies, a university s transfer of controlled (on the CCL or the USML) technology to a non-permanent resident foreign national may require a license from the relevant Department and/or be prohibited. The licensing process varies: > EAR not too complicated, can apply electronically, no fee - Deemed Export license required for foreign national working with certain controlled proprietary technology - License needed to ship certain goods/technologies outside the U.S. > ITAR very complicated and expensive - DSP-5/Technical Assistance Agreement required for foreign nationals working with export controlled technology/defense service - Technology Control Plan required > OFAC application by letter, no fee 35 Export controls audit focus areas > Applicability of exemptions > Deemed exports > Licensing > Shipping and payments to foreign persons outside the U.S. > Travel - Physically taking items with you on a trip such as laptop, encryption products on your laptop, smart phone/cell phone, data/technology, blueprints, drawings, or schematics, other tools of the trade - Giving controlled technology/data to a foreign person outside the U.S

106 Export controls resources Bureau of Industry and Security (BIS), Department of Commerce EAR database Commerce Control List ITAR OFAC 37 Research misconduct and responsible conduct of research training 38 Research misconduct definition Research misconduct means fabrication, falsification, or plagiarism in proposing, performing, or reviewing research, or in reporting research results (a) Fabrication is making up data or results and recording or reporting them (b) Falsification is manipulating research materials, equipment, or processes, or changing or omitting data or results such that the research is not accurately represented in the research record (c) Plagiarism is the appropriation of another person's ideas, processes, results, or words without giving appropriate credit (d) Research misconduct does not include honest error or differences of opinion - Federal Research Misconduct Policy 39 13

107 Research misconduct regulations The White House s Office of Science and Technology Policy issued the Federal Research Misconduct Policy at the end of 2000, requiring all agencies supporting intramural or extramural research to implement their own policies regarding research misconduct. Most major sponsoring agencies have their own research misconduct requirements, though they are largely similar across agencies. Policies typically defer investigation of misconduct initially to the researcher s home institution. 40 Research misconduct regulations (cont.) The requirements for a finding of research misconduct are: > There be a significant departure from accepted practices of the relevant research community; > The misconduct be committed intentionally, knowingly, or recklessly; and > The allegation be proven by a preponderance of the evidence. 41 Research misconduct repercussions Individuals found guilty of research misconduct may have administrative actions imposed including: > Debarment from eligibility to receive Federal funds for grants and contracts > Prohibition from service on advisory committees, peer review committees, or as consultants > Certification of data or other information by the institution > Imposition of supervision on the respondent by the institution > Submission of a correction to or retraction of published articles > Modification of the terms of an award > Suspension or termination of an award > Recovery of funds 42 14

108 Responsible conduct of research training definition Since federally-funded research is tax-payer supported, researchers have an obligation to conduct their activities in a responsible manner. Responsible Conduct of Research (RCR) training is comprised of nine topic areas: > Acquisition, management, sharing and ownership of data > Animal welfare > Authorship/plagiarism > Collaboration > Conflict of interest > Human subject protections > Mentoring > Peer review > Research misconduct 43 Responsible conduct of research training purpose Some of the many benefits of RCR training are that it: > Encourages best practices in the conduct of research and scientific investigations > Fosters an ability to recognize an ethical choice and the ability to make a principled decision > Provides accessible educational opportunities and resources designed to help students and postdoctoral researchers meet the America COMPETES Act Responsible Conduct of Research training requirements > NSF requires that any student or postdoctoral researcher supported by NSF funding receive RCR training, while NIH requires only those individuals receiving awards with a training component to undergo RCR training - NSF requires attestation in all proposals that individuals working on an award receive training, while NIH proposals must incorporate the specific plan for how training will be delivered 44 Responsible conduct of research audit focus areas Internal audits or reviews of the RCR program should look for: > Documentation of researchers receiving training > Attestations included in grant proposals (as required by the sponsor) > Effectiveness and completeness of RCR training materials 45 15

109 Responsible conduct of research resources Office of Research Integrity Office of Research Integrity Introduction to the Responsible Conduct of Research National Institutes of Health National Science Foundation 46 Federal data protection 47 What is federal information? CDI Covered Defense Information - Unclassified information provided to the contractor by or on behalf of DoD in connection with the performance of the contract, or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract (see DFARS ) Controlled Unclassified Information - Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified (see Executive Order and CUI Registry at CUI FCI Federal Contract Information -Anyinformation provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided to the public (e.g., publicly accessible website data) or simple transactional data (e.g., billing or payment processing data)

110 Examples of federal information CDI Unclassified Controlled Technical Information or other information as described in the CUI Registry requiring safeguarding! see DFARS CUI FCI Any information that is NOT provided to the public or simple transactional data! Critical Infrastructure Financial Proprietary Business Information see CUI Registry see Federal Register; Basic Safeguarding ruling DFARS (CDI) DFARS Safeguarding Covered Defense Information and Cyber Incident Reporting Provides guidance to Federal Defense and Aerospace contractors around protecting Covered Defense Information (CDI) and reporting cyber incidents affecting contractor information systems or CDI residing within those systems to the Federal Government, and requires contractors to do the following: Implement adequate cybersecurity safeguarding controls on all covered contractor information systems in accordance with specific frameworks and standards set forth in the ruling Rapidly report cyber incidents affecting contractor information systems or CDI residing within those systems to the Federal Government 4650 DFARS (CDI) (cont.) IMPLEMENTATION OF ADEQUATE CYBERSECURITY SAFEGUARDING CONTROLS: DFARS Safeguarding Covered Defense Information and Cyber Incident Reporting continued Where contractor is handling CDI on their systems, must implement safeguarding controls according to NIST SP For systems operated on behalf of the government, see specific contract guidance and/or DFARS Cloud Computing Services if applicable Any other such services or systems (i.e., other than cloud computing) are subject to the security requirements specified in those contracts All contractors, subcontractors, suppliers, and partners must implement NIST SP security requirements by December 31,

111 DFARS (CDI) (cont.) DFARS Safeguarding Covered Defense Information and Cyber Incident Reporting continued REPORTING OF CYBER INCIDENTS A cyber incident is any action taken through computer networks resulting in the compromise, or an actual or potentially adverse effect, of an information system and/or the information residing within those systems Cyber incidents shall be reported to DoD within 72 hours of discovery via DoD s Defense Industrial Base (DIB) Cyber Incident Reporting & Cyber Threat Information Sharing Portal Contractors must acquire a DoD-approved medium assurance certificate from Defense Information Systems Agency (DISA) to access the DIB portal Subcontractors who handle CDI under prime contracts with the Federal Government are required to report cyber incidents directly to DoD and their prime contractor customers (or next higher-tier subcontractor) FAR (FCI) FAR Part Basic Safeguarding of Contractor Information Systems Effective June 2016; requires contractors to implement 15 safeguarding controls and procedures, mapping to 17 control requirements in NIST SP Applies to covered contractor information systems owned or operated by contractors that process, store, or transmit FCI Establishes basic, minimal information system safeguarding standards which Federal agencies are already required to follow internally and most prudent businesses already follow as well Rule does not apply to sales of commercially available off-the-shelf (COTS) items For example, contractors who are resellers of COTS items (e.g., printers, copiers) may not be impacted CFR 2002 (CUI) Effective November 2016; resulting from Executive Order 13556, establishes policy for designating, handling, and decontrolling information that qualifies as CUI 32 CFR 2002 Controlled Unclassified Information Describes, defines, and provides guidance on the minimum protections (derived from existing agency practices) for CUI; including physical and electronic environments, marking, sharing, destruction, and decontrol Emphasizes unique protections described in law, regulation, and/or Government-wide policies (authorities) The National Archives, as the Executive Agent (EA) of CUI, has developed the CUI Registry ( which is the authoritative source for guidance regarding CUI policies and practices CUI is currently organized into 23 categories and 84 sub-categories 55 18

112 FAR Proposed (CUI) FAR Case Controlled Unclassified Information Implements the National Archives and Records Administration (NARA) CUI program of E.O As the executive agent designated to oversee the Government-wide CUI program, NARA issued regulations in 2016 to address agency policies for designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI. Applies the requirements contained in the 32 CFR Part 2002 and NIST SP to industry (i.e., beyond defense contractors) Specific clause 32 CFR Safeguarding - Types of CUI standards (i.e., basic or specified) - Non-Federal information systems must use NIST SP Other research data Research sponsors typically reserve the right to audit data and examine records relevant to a grant. Data Management and Data Use Agreements In most cases, the institution owns the rights to the data. However in some sponsored research, the sponsor retains ownership. The Bayh-Dole Act of 1980 allowed universities to have control of the intellectual property generated from federally-funded research. NSF policy, effective as of January 18, 2011, requires all proposals to include a data management plan. Various federal agencies and other research sponsors have different data security and retention requirements. Sponsors also have requirements related to the timely sharing of data. 52 NIST SP Agencies must use NIST SP when establishing security requirements to protect CUI s confidentiality on non-federal information systems (i.e. contractors systems) NIST SP Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Revision 1 Intended for use by federal agencies in appropriate contractual vehicles or other agreements established between those agencies and nonfederal organizations (i.e. contractors) NIST SP should be used when a contractor receives CUI incidental to providing a service or product to the Government (e.g., producing a study, conducting research, creating training, building an aircraft or ship, etc.) Describes 110 total controls across 14 control families Provides mapping to NIST SP Revision 4 and ISO information security controls 53 19

113 Who will be impacted? ALL contractors who handle CDI, CUI, and FCI are impacted by recent guidance and legislation (or soon will be): > Per DoD guidance, the government and contractors are responsible for identification of CDI in contracts or marking as such > Failure of clearly identifying or marking CDI does not preclude contractors handling CDI from these requirements > Contractors should contact their government or next higher tier contractor customer procurement or contract representatives 58 Who will be impacted? For subcontractors and suppliers, flow-down requirements apply! > Subcontractors are ultimately responsible for implementing cybersecurity safeguarding controls to be in compliance > Subcontractors will be held accountable for breaches if they have not implemented required controls > Prime contractors may be impacted by breaches involving their subcontractors - Prime contractors may proactively engage key subcontractors to understand their current security posture and assess risk to their contracts - Collaborative solutions are being implemented to capture information on subcontractors cybersecurity safeguarding practices 59 Federal data protection audit tips > Work with your general counsel or legal on all privacy related audits/assessments/reviews due to the complex nature and variety of privacy and security laws and regulations > Include privacy and security specific questions or criteria into the scope of all types of audits (e.g., financial, operations, IT) > Be prepared to modify the scope of audits due to privacy and security s pervasive reach 60 20

114 Federal data protection audit tips (cont.) > During a privacy/security risk assessment or audit, Internal Audit should involve: - General counsel or legal - Compliance - Information technology and security - Human resources - Admissions - Financial aid - Registrar - Development/Advancement - Clinic and counseling center - Finance and accounting - Dining services - Athletics 61 Federal data protection audit tips (cont.) > Perform an early morning or late night inspection of departments and offices (with cooperation of police/public safety/security) to identify: - Unsecured (e.g., out on desks, left on printers/copiers) physical records containing personal information - Computer equipment not physically secured or screen locked > Review mobile device (e.g., smart phones, tablets, laptops) security configurations by working with technical experts in IT/security > Review information security plans/programs against legal requirements 62 Other sponsored research compliance topics 63 21

115 Other sponsored research compliance topics > Human and animal subjects > Service centers > Intellectual property and technology transfer > Award closeout 64 Thank you! 65 22

116 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2/26/2018 Auditing sponsored research compliance: selected cost elements and recent federal audit scrutiny Presentation contents > Session objectives > Common cost elements subject to federal audit scrutiny > Current federal Offices of Inspector General (OIG) audit work plans > Summary of recent federal audits and settlements > Audit tips 2 Session objectives > Understand specific types of costs that are often subject to federal audit scrutiny > Provide an overview of current and planned audit activities by federal OIGs > Understand the impact of recent federal audit findings and settlements 3 1

117 Common cost elements subject to federal audit scrutiny 4 Administrative and clerical costs Historically, universities were expected to recover the cost of administrative and clerical personnel through the application of the F&A rate, except in rare circumstances (such as major program project grants). Under the UG, interpretations have been that administrative and clerical salaries can now be included as direct charges. 5 Administrative and clerical costs (cont.) NOT SO FAST! 6 2

118 Administrative and clerical costs (cont.) Section (c) of the UG states: The salaries of administrative and clerical staff should normally be treated as indirect (F&A) costs. Direct charging of these costs may be appropriate only if all of the following conditions are met: 1. Administrative or clerical services are integral to a project or activity; 2. Individuals involved can be specifically identified with the project or activity; 3. Such costs are explicitly included in the budget or have the prior written approval of the Federal awarding agency; and 4. The costs are not also recovered as indirect costs. 7 Computers and equipment Charging computers to a research award has long been one of the most debated cost items. The main challenge was meeting the requirement to prove allocability for computer devices to specific projects. Section (c) of the UG includes a specific reference to costs of computing devices within the description of materials and supplies, specifically: In the specific case of computing devices, charging as direct costs is allowable for devices that are essential and allocable, but not solely dedicated, to the performance of a Federal award. 8 Conferences Though researchers are expected to share their research results and such activities are considered allowable costs, conference costs can be an area of auditor focus for a number of reasons: > Specific conferences (or any conference activity) are often not detailed in the project budget > Sending graduate students or research assistants to conferences > Materials and supplies costs associated with presentations > Timing of presenting research results typically near the end (or after) the grant budget period > Justification/support for allocability of conference costs to a specific grant > Reasonableness and allowability concerns 9 3

119 Salary costs Personnel costs account for over one-third of all research costs. Thus, sponsors often choose effort reporting as an audit focus area. However, there is no precise way to measure time spent on each individual activity that comprises a faculty member s salary. Institutions were required to complete effort reporting under OMB Circular A-21, but the Uniform Guidance has relaxed the requirements and expanded the options available for confirming salary costs charged to Federal awards. 10 Salary costs (cont.) > Charges for work on sponsored agreements are to be based on the faculty member s regular compensation that constitutes the Institutional Base Salary (IBS) > Charges to sponsored agreements may not exceed the proportionate share of the base salary for that period, based on the level of effort allocated > Charges for work performed during the summer months (or other periods) not included in the IBS will be determined based on the relative amount of base salary that would be paid (i.e., a nine-month faculty working two summer months would be eligible for up to 2/9 IBS for the additional activity) 11 Salary costs supporting costs charged Per the UG, salaries charged must be based on records accurately reflecting the work performed, which must: > Be supported by a system of internal control which provides reasonable assurance that the charges are accurate, allowable, and properly allocated > Be incorporated into the official records of the organization > Reasonably reflect total activity for which the employee is compensated, not exceeding 100% of compensated activities > Encompass both federally funded and all other compensated activities on an integrated basis > Comply with the established accounting policies and practices of the organization > Support the distribution of the employee s salary among specific activities or cost objectives 12 4

120 Subrecipients Though costs incurred (and subsequently invoiced) are typically beyond the control of the prime awardee, the same AARC requirements apply for these costs to be passed along to a federal sponsor. Subrecipients can often be seen as low-hanging fruit during audits, so costs charged and invoiced by subawardees should receive at least as much scrutiny as those charged through the institution. 13 Travel While travel expenses are a common direct cost, there are many challenges and compliance concerns associated: > Domestic versus international travel funds > Fly America Act > Lowest available airfare requirements > Use of per diem or actual expense reimbursement > Split allocation of travel costs > International travel concerns (e.g., acceptance of credit cards and/or funds availability, availability of receipts, cost of visas) 14 Current OIG Audit Work Plans 15 5

121 OIG work plans an overview As OIGs have a reporting responsibility to Congress and taxpayers, most of their work (including annual work plans) is available online. This includes: > Annual Work Plans > Semi-Annual Reports to Congress > Results of specific audits > Descriptions of challenges and risks for the specific agency This information can be used to help advise and guide an institution s internal audit function or research leadership to understand what are likely focus areas for Federal audits. 16 OIG work plans Department of Health and Human Services (DHHS) The DHHS 2018 Work Plan includes: > Reviewing payments, obligations, reimbursements, and other uses of Superfund money provided by the National Institute of Environmental Health Sciences > Assessing the effectiveness institutions monitoring processes over subcontracted services to determine whether federal funds are spent on allowable goods and services > Evaluating compliance with selected cost principles > Reviewing the basis of the dollar value of Federal grants received with input from HHS operating divisions, the office of Assistant Secretary for Financial Resources, and the office of Assistant Secretary for Administrations 17 OIG work plans National Science Foundation (NSF) The NSF s FY 2018 Work Plan includes: > Accountability over major facilities - Assess NSF s controls to prevent misallocation of appropriations for the construction and operations of major facilities > Management of contracts - Audit NSF s compliance with contracting requirements in the Federal Acquisition Regulation and the National Science Foundation Acquisition Manual > Oversight of foreign awardees - Initiate an audit on NSF s processes for monitoring awards to foreign awardees > Funding model for the University-National Oceanographic Laboratory System s major overhaul and stabilization accounts - Assess the amount of outstanding MOSA surpluses across the UNOLS 18 6

122 OIG work plans NSF (cont.) > Incurred cost audits of NSF awardees - Audit incurred costs and compliance with applicable requirements at various universities, nonprofits, and for-profit entities > Review of the quality of Single Audits - Conduct desk reviews of approximately 120 Single Audit report packages - Conduct quality control reviews of the audit work for two Single Audits 19 NSF data analytics audits the trend in cost audits The data driven audit process was founded in This process is intended to use data available to NSF from public and private sources to apply risk-based criteria to identify potentially unallowable costs charged to NSF grants. Where as prior OIG audit methods would only provide coverage to two or three programs and tens of transactions, NSF now reviews 100 percent of transactions charged to NSF awards for a set period of time (2-3 years). This process has been recognized as a best practice by the government s Model Agency Initiative. 20 NSF data analytics audits approach 21 7

123 NSF data analytics audits challenges While the theory behind the NSF s data analytics approach makes sense, universities have experienced many challenges when the results are put into practice. This includes: > Use of external accounting firms with little or no knowledge of research operations > Broad impact and reach across campus > Cost of audit support activities (time and resources) To date, these audits have resulted in millions of dollars in questioned costs, but the audit resolution process has closed most for a fraction of the amount originally questioned. 22 NSF data analytics audits example results UCLA UCSB Viginia Tech Michigan State Univ of Florida University: Amount Amount Amount Amount Amount Amount Amount Amount Amount Amount Questioned Sustained Questioned Sustained Questioned Sustained Questioned Sustained Questioned Sustained Exceed 2 Month Salary Limit/2 month salary calculation error $1,913,474 $0 $2,111,653 $0 $1,456,716 $0 $913,210 $0 $867,188 $0 Cost Share $2,821,676 $ Unallowable - Pre Award $3,166 $ Unreasonable - Toward Award End - - $30,886 $0 $118,329 $35, $11,108 $10,175 Unallowable - After Award End $555,162 $ $42,958 $42,958 Unallocable - Travel - - $137,243 $50,451 $2,101 $2, $5,495 $5,495 Unsupported-Incomplete/No Documentation $23,278 $23,278 Unreasonable - Allocation $323,873 $38,320 $2,263 $3, $9,544 $9,544 Unallowable - Promotional/Gift/Other $228,583 $ $24,103 $24,103 Unallowable - Meals $6,085 $ $7,160 $7,160 Unallowable - Indirect Costs $473,465 $5,231 $3,200 $3,200 $15,585 $15, $1,628 $1,628 Unreasonable - Relocation/Visa - - $73,135 $73,135 $11,398 $11, TOTAL Questioned Costs $6,325,484 $43,551 $2,358,380 $130,469 $1,604,129 $64,138 $913,210 $0 $992,462 $124, Summary of recent federal audits and settlements 24 8

124 Recent settlement #1 University of Southern California HOLD Will add recent settlement slides 25 Recent audit #1 University of Southern California Scope The National Science Foundation Office of Inspector General engaged a consultant to conduct a performance audit of incurred costs at the University of Southern California (USC) for the period October 1, 2011, to September 30, The audit encompassed more than $324 million comprising all costs claimed to NSF. Case specifics The objective of the audit was to determine if costs claimed by USC during this period were allocable, allowable, reasonable, and in conformity with NSF awards terms and conditions and applicable Federal financial assistance requirements. The auditors questioned $629,479 of costs claimed by USC during the audit period; findings included $304,290 of unreasonable expenses near award expiration and $217,387 of misapplied indirect costs (IDC) on subawards. Results The resolution of this audit is still pending 26 Recent audit #2 University of Arizona Scope Case specifics The National Science Foundation Office of Inspector General engaged a consultant to conduct a performance audit of incurred costs at the University of Arizona (UA) for the period January 1, 2012, to December 31, The audit encompassed more than $176 million comprising all costs claimed to NSF. The objective of the audit was to determine if costs claimed by UA during this period were allocable, allowable, reasonable, and in conformity with NSF awards terms and conditions and applicable Federal financial assistance requirements. The auditors questioned $56,904 of costs claimed by UA during the audit period, and findings included $39,770 in inappropriate subaward payments and $12,196 in improperly allocated compassionate leave. Additionally, the auditors noted an other matter related to an improperly coded transaction, that indicated a deficiency in internal controls, but was otherwise not a questioned cost. Results The resolution of this audit is still pending 27 9

125 Recent audit #3 Georgia Tech Scope Case specifics The National Science Foundation Office of Inspector General engaged a consultant to conduct a performance audit of incurred costs at Georgia Tech Research Corporation (Georgia Tech) for the period April 1, 2012, to March 31, The audit encompassed more than $201 million comprising all costs claimed to NSF. The objective of the audit was to determine if costs claimed by Georgia Tech during this period were allocable, allowable, reasonable, and in conformity with NSF awards terms and conditions and applicable Federal financial assistance requirements. The auditors questioned $68,837 of costs claimed by Georgia Tech during the audit period, and findings included $62,009 in purchases of equipment near the end of the award that did not appear to benefit the NSF award charged and $6,828 in travel and relocation costs that did not appear reasonable and necessary for the awards charged or were not in compliance with NSF requirements. Results The resolution of this audit is unresolved 28 Recent audit #4 University of California-Davis Scope Case specifics Results The National Science Foundation Office of Inspector General conducted a performance audit of costs totaling approximately $142 million charged by University of California-Davis (UC-Davis) to its sponsored agreements with NSF during the period January 1, 2008, to December 31, The objectives of this audit were to determine whether (1) UC-Davis has adequate systems in place to account for and safeguard NSF funds, and (2) costs claimed by UC-Davis under a number of NSF awards were reasonable, allowable, and allocable and in conformity with NSF award terms and conditions and applicable Federal financial assistance award requirements. OIG questioned over $2.3 million, including over $380k of equipment charges for which UC-Davis could not document allowability on NSF awards and over $1.8 million of salary, benefits, and associated indirect costs for faculty and other senior personnel that were unreasonable and exceeded NSF limitations. The resolution of this audit is still pending 29 Recent audit #5 Scripps Institution of Oceanography Scope Case specifics The National Science Foundation Office of Inspector General engaged a consultant to conduct a performance audit of incurred costs at Scripps Institution of Oceanography, University of California, San Diego (Scripps) for the period April 1, 2012, to March 31, The audit universe included more than $110 million in costs claimed to NSF. The objective of the audit was to determine if costs claimed by Scripps during this period were allocable, allowable, reasonable, and in conformity with NSF award terms and conditions and applicable Federal financial assistance requirements. The auditors questioned $111,516 of costs claimed by Scripps during the audit period, and findings included $95,203 in equipment, materials, and supplies expenses unreasonably purchased near award expiration and $7,723 in unallowable direct costs. Results The resolution of this audit is still pending 30 10

126 Audit tips 31 Audit tips > Understand what your institution s monitoring procedures are and evaluate both the design and effectiveness - Is there any current oversight or compliance monitoring being done in another area (such as sponsored programs)? > When auditing research activities, engage PIs in conversations to better understand the nature of the research work performed. Much of cost appropriateness relates to the allocability of costs, so being able to obtain as much information as possible regarding why a cost was necessary will help support the cost as charged 32 Audit tips (cont.) > Look for missing costs when auditing areas like travel. For instance, if a PI went to a conference and charged the cost of a hotel, you would also expect to have associated airfare or mileage reimbursement > If performing transaction testing, be sure to include costs from some of the more commonly troublesome cost types 33 11

127 Audit tips (cont.) > Consider ability to perform data analysis to assist in identifying potentially inappropriate costs (both for a specific grant or for a broader portfolio). Areas for focus may include: - Key work searches for unallowable cost types - Spending beyond budgeted amounts for various cost categories - Spending spikes - Split transactions - Timing of purchases Before award start date or near or after award close Purchases made on holidays or weekends - Transactions for round dollar amounts - Vendor frequency analysis 34 Thank you! 12

128 Human and animal subjects Human and animal subjects 1 Human subjects definition A human subject is defined as a living individual about whom a researcher (whether a professional or a student) obtains data through intervention or interaction with the individual or from individually identifiable information. > Regulations and ethical guidelines governing the use of human subjects: 45 CFR 46: Protection of human subjects Guidelines for Conduct of Research Involving Human Subjects at NIH The Belmont Report: Ethical principles and guidelines for the protection of human subjects of research Nuremberg Code: Directives for human experimentation World Medical Association Declaration of Helsinki 2 Human subjects example research activities Some examples of activities that may (or may not) be human subjects research include: > Classroom activities include instructing students in research methodologies and techniques. If the sole purpose of the activity is to teach students research techniques or methodology with no intention to develop or contribute to generalizable knowledge, it is not considered research > Service surveys issued or completed by University personnel for the intent and purposes of improving University services/programs or for developing new services or programs; as long as it is voluntary and confidentiality maintained > Information-gathering interviews where questions focus on things, products, or policies; examples include interviewing librarians about inter-library loan policies or rising journal costs 3 1

129 Human subjects oversight Human subject research is controlled at an institution based on oversight and monitoring by the Institutional Review Board (IRB). The IRB is responsible for approving any research protocols involving human subjects, and monitoring the conduct of these research activities. > The IRB reviews human subject research projects according to three principles: Minimize the risk to human subjects (beneficence) Ensure all subjects consent and are fully informed about the research and any risks (autonomy) Promote equity in human subjects research (justice) > All human subjects research (including but not limited to recruitment) must be approved by the IRB before commencing. The IRB typically approves projects for one year, thereafter conducting annual reviews 4 Human subjects audit focus areas Areas of focus for internal audit include: > Appropriate IRB approval and oversight > IRB membership, support and workload > Reporting of problems > Informed consent > Data collection and protection > Assessment of efficiency, effectiveness, compliance, and improvement processes > Charging of costs related to IRB protocols 5 Human subjects resources National Institutes of Health, Office of Human Subjects Research US DHHS Office of Extramural Research Office for Human Research Protections 6 2

130 Animal subjects definition Animal subject research includes the use of live, vertebrate animals for testing, research, or instructional purposes as well as the use of non-living vertebrate materials and the noninvasive observation of wildlife. The Office of Laboratory Animal Welfare (OLAW) provides guidance and interpretation of the PHS Policy on Humane Care and Use of Laboratory Animals, supports educational programs, and monitors compliance with the Policy by Assured Institutions and PHS funding components to ensure the humane care and use of animals in PHS-supported research, testing, and training, thereby contributing to the quality of PHS-supported activities. 7 Animal subjects regulations and ethical guidelines > Health Research Extension Act of 1985 (Public Law ) Provides the legislative mandate for the PHS Policy Directs the Secretary of HHS to establish guidelines for the proper care and treatment of animals used in research, and for the organization and operation of animal care committees > Guide for the Care and Use of Laboratory Animals The PHS Policy mandates that institutions use the Guide as a basis for developing and implementing an animal care and use program Intended to assist institutions in caring for and using animals in ways judged to be scientifically, technically, and humanely appropriate Institutional responsibilities include monitoring animal care and use, provisions for veterinary care, training for personnel, and the establishment of an appropriate occupational health and safety program Professional standards encompass the animal environment, animal husbandry and management, veterinary care, and design and construction of animal facilities 8 Animal subjects regulations and ethical guidelines (cont.) > U.S. Government Principles for the Utilization and Care of Vertebrate Animals Used in Testing, Research, and Training The PHS Policy implements nine U.S. Government Principles that are the foundation for humane care and use of laboratory animals in this country. These principles were developed by the Interagency Research Animal Committee and adopted in 1985 by the Office of Science and Technology Policy > Animal Welfare Regulations (9 CFR, Chapter 1) The Animal Welfare Act (AWA) is the principal federal statute governing the sale, handling, transport and use of animals Compliance with the Animal Welfare Regulations is an absolute requirement of the PHS Policy Through a formal MOU, the USDA, FDA and NIH cooperate with one another to facilitate implementation of, and foster institutional compliance with, the Animal Welfare Regulations and the PHS Policy 9 3

131 Animal subjects oversight Research involving animal subjects is controlled at an institution based on oversight and monitoring by the Institutional Animal Care and Use Committee (IACUC). The IACUC is responsible for approving any research protocols involving animal subjects, and monitoring the conduct of these research activities. The IACUC is a self-regulating entity that, according to federal law, must be established by institutions that use laboratory animals for research or instructional purposes to oversee and evaluate all aspects of the institution's animal care and use program. 10 Animal subjects audit focus areas Areas of focus for internal audit include: > Appropriate IACUC approval and oversight > Appropriate training for researchers and staff > Animal husbandry practices and related charges > Reporting of problems > Assessment of efficiency, effectiveness, compliance, and improvement processes 11 Animal subjects resources DHHS, Office of Laboratory Animal Welfare Guide for the Care and Use of Laboratory Animals U.S. Department of Agriculture Animal Welfare Regulations 182&topic_id=1118&level3_id=6735&level4_id=0&level5_id=0&placement_default=0 12 4

132 Intellectual property and technology transfer Intellectual property and technology transfer 13 Intellectual property and technology transfer definitions > Intellectual property (IP) is a form of property rights created by law, whether statutory or common law, which confer legally enforceable exclusive rights in economically valuable creations of the human mind > Technology transfer is the handing off of intellectual property rights from the university to the for-profit sector for purposes of commercialization 14 Intellectual property and technology transfer how does this apply? Common forms of intellectual property at a university include: > Patents provide time-limited legal monopolies over technological innovations or inventions, such as new machines, medical devices, chemicals, compounds, and methods for performing tasks. Patents must be applied for and approved (issued) by the United States Patent and Trademark Office in order to be enforced > Copyrights protect creative works such as books, movies, music, paintings, photographs, and software and give the author protection from unauthorized copying of such materials. Copyright protection comes into existence upon creation and does not need to be registered > Trademarks unique identifiers used on or in connection with goods and services. Trademarks include logos or the like. Trademarks, like copyrights, do not need to be registered to be enforceable 15 5

133 Intellectual property and technology transfer ownership Prior to 1980, any invention discovered or created through the expenditure of federal funds was owned by the U. S. government > Each granting agency had its own policies regarding treatment of inventions Resources for evaluating and patenting discoveries were rather limited Most federally-funded discoveries sat aging in the federal archives and were rarely given the opportunity to make it to the marketplace Bayh-Dole Act of 1980 > Gave non-profit institutions and small businesses the right to elect title (i.e., ownership rights) to their inventions that had been sponsored by federal funds Institutions have certain responsibilities under the Act, such as reporting inventions to the sponsor in a timely manner and sharing income from those inventions with the inventors The government retains certain rights, including a non-exclusive, irrevocable, paid-up license to practice the invention and the right to license the invention to third parties under exceptional circumstances, such as critical unmet public health needs 16 Intellectual property and technology transfer role of the technology transfer office A technology transfer office may assist investigators with IP in the areas of: > Disclosure facilitation provide advice about potential tech transfer issues during research activities and to assist in the invention reporting process > Patenting and other protections provide guidance in planning an effective patent, copyright, or trademark strategy and handle all implementation details during the protection stage > Start-up assistance provide assistance in analyzing potential opportunities to form a start-up based upon university-technology and encourage this interaction during the early invention reporting process > Licensing assist in technical and market assessments and actively market university technologies to industry partners > Legal support provide legal guidance and assistance for all tech transfer activities 17 Intellectual property and technology transfer audit tips Internal audits or reviews of IP and tech transfer should look for: > Processes and procedures for identifying intellectual property > Potential conflicts of interest > Tracking and reporting of licensed technology or IP > Appropriate recording of revenue from licensed technology or IP (e.g., payment of royalties) > Timely reporting to sponsors 18 6

134 Intellectual property and technology transfer resources U.S. Copyright Office U.S. Patent and Trademark Office 37 CFR Chapter 4, Part 401 Rights to Inventions Made by Nonprofit Organizations and Small Business Firms Under Government Grants, Contracts, and Cooperative Agreements 19 Recharge/service centers Recharge/ service centers 20 Recharge/ service centers definition A service center is defined as a department, or functional unit within a school or department, that performs specific technical or administrative services for a fee. These units provide goods or services for a fee based on a rate schedule, and may recover no more than the cost of the goods or services and to break-even over time > Examples of service centers are cell sorting facilities, magnetic resonance imaging facilities, or animal care facilities. 21 7

135 Recharge/ service centers regulations Governing regulations are located in Section of the UG > The costs of services provided by highly complex or specialized facilities operated by the non-federal entity, such as computing facilities, are allowable, provided the charges for the services meet one of the conditions listed below: - Does not discriminate between activities under Federal awards and other activities of the non-federal entity, including usage by the non-federal entity for internal purposes, and - Is designed to recover only the aggregate costs of the services. The costs of each service must consist normally of both its direct costs and its allocable share of all indirect (F&A) costs. Rates must be adjusted at least biennially, and must take into consideration over/under applied costs of the previous period(s). 22 Recharge/ service centers regulations (cont.) Governing regulations (cont.) > The costs of such services, must be charged to the applicable awards based on actual usage of the services > Where the costs incurred for a service are not material, they may be allocated as indirect (F&A) costs > Under some extraordinary circumstances, where it is in the best interest of the government and the institution to establish alternative costing arrangements, arrangements may be worked out with the Federal cognizant agency for indirect costs 23 Recharge/ service centers audit focus areas Internal audits or reviews of service centers should look for: > History of surpluses (revenues exceeding expenditures) without an accompanying rate adjustment > Frequency of service center rate reviews and true-ups > Costs not following Cost Accounting Standards for reasonableness, allocability, allowability, and consistent treatment > Unrelated business income tax issues, when primary function of specialized services facilities (i.e., service centers) are not part of the core mission of the institution > Fluctuations in payroll costs, which may indicate departments parking expenditures or using service center funds as bridge funding while there are gaps in other sponsored projects 24 8

136 Recharge/ service centers resources Regulatory Guidance Uniform Guidance, Subpart E Specialized service facilities 25 Conflicts of interest Award closeout 26 Award closeout definition Sponsored awards have many accompanying reporting requirements throughout the life of the award, to report on both financial and technical progress. At the completion of an award, institutions are expected to provide the sponsor with final technical and financial reports, file any invention disclosures/claim intellectual property rights, and deobligate any remaining funds. 27 9

137 Award closeout increased scrutiny In 2012, the Government Accountability Office (GAO) issued a report entitled Grants Management: Action Needed to Improve Timeliness of Grant Closeouts by Federal Agencies > This report identified nearly $795 million in grant funding that had not been appropriately closed and returned to government agencies to allow for other uses 28 Award closeout challenges > Differing deadlines between sponsors (and even types of awards) > Resource availability (and understanding) > Disbursed roles and responsibilities Financial reporting is typically completed by an administrative office, while technical reports must be completed by the PI > Insufficient oversight and monitoring during the life of the award 29 Award closeout differing sponsor expectations Agency FFR Due Deobligation of Funds Technical Reporting HHS (non-nih) 90 days 90 days 90 days NIH 120 days 120 days 120 days NSF 120 days 120 days 120 days* DoD 120 days 120 days days Most Others 90 days 90 days 90 days 30 10

138 Conflicts of interest Cost sharing 31 Cost sharing > An institution may share or match costs on a project to cover the total expense of completing the work. Cost sharing can be committed (included in the project proposal/budget; possibly even required by the sponsor) or voluntary. Many times cost sharing is accomplished by: Covering a portion of salary Not charging for F&A (indirect) rate recovery Sharing the cost of major equipment Paying for necessary facility upgrades or improvements In-kind contributions 32 Cost sharing (cont.) All cost sharing for awards should be tracked and reported to the sponsor (especially as it related to effort reporting). Federal regulations require that cost sharing be: > Verifiable > Allowable > Incurred during the period of the award > Not from other federally-funded sources 33 11

139 Uniform Guidance procurement regulations 34 UG procurement regulations The Uniform Guidance formalized requirements for procurements with federal funds. Based on this guidance, non-federal Entities must: > Follow documented policies and procedures (as long as those conform to federal and local laws) > Provide oversight to ensure contractors perform in accordance with terms, conditions, and specifications of their agreements > Have written standards governing conflicts of interest > Avoid acquisition of unnecessary or duplicative items > Award contracts only to responsible contractors > Responsible for the settlement of all contractual and administrative issues arising out of procurements 35 UG procurement regulations documentation requirements All procurement activities are expected to be made through full and open competition according to the Uniform Guidance. Institutions must also maintain records sufficient to detail the history of the procurement. This includes: > Rationale for the method of procurement > Selection of contract type > Contractor selection or rejection > Basis for the contract price 36 12

140 UG procurement regulations 37 UG procurement regulations practical application Required implementation of the procurement requirements of the Uniform Guidance has been granted a grace period of two fiscal years from the effective date of the Uniform Guidance (e.g., starting July 1, 2017, for most universities). This extension is designed to allow ongoing discussion and clarification in an attempt to lessen the burden of requirements. However, an institution must document that it has elected to take the extension as part of its procurement policies as of the first fiscal year after the Uniform Guidance was enacted. 38 Cost transfers 39 13

141 Cost transfers > By performing routine reviews of costs charged to an award, institutions can identify any costs which were inappropriately charged. These costs can then be transferred to the appropriate project, award, or a non-sponsored account > While cost transfers may draw increased audit scrutiny, they are an expected component of research operations. If necessary, it s better to have cost transfers on (or off) an award than an inappropriate cost! 40 Cost transfers (cont.) > Cost transfers should be made as soon as possible, but should be made no later than 90 days after discovery of the error (maximum 120 days from the date of the transaction) Late cost transfers are a significant red-flag for federal auditors > Cost transfers must include support for why the transfer was made. Costs should never be moved to free-up/spend available budget; costs must be charged appropriately! If the relevant budget (or budget category) is overspent, the University will have to absorb the cost 3 If an inappropriate cost is discovered beyond 90 days, the cost transfer should still be made, though this is not ideal

142 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2/27/2018 Information technology, privacy and security compliance Presentation content > Overview of privacy and security > Key risks and impacts of data breaches > Privacy and security requirements applicable to higher education > Leading practices 2 Session objectives > Define privacy and security and highlight the risks and impacts of data breaches > Understand the impact of cybersecurity and information privacy requirements > Assess where the cybersecurity and information privacy requirements overlap, and how this impacts your institution > Apply leading practice strategies for evaluating high-risk data at your institution and how it is protected 3 1

143 2/27/2018 Overview of privacy and security 4 What is privacy? > The rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information Source: - American Institute of Certified Public Accountants (AICPA) - Generally Accepted Privacy Principles (GAPP) 5 What is security? > Security is made up of three elements; commonly known as the CIA triad: - Confidentiality rules that limits access to information - Integrity information is trustworthy and accurate - Availability reliable access to information by authorized people 6 2

144 2/27/2018 What is personally identifiable information (PII)? > Information that can be attributable and used to identify a specific individual may include: - Name - Demographics (e.g., age, gender, - Social security number race, ethnicity) - Street address, phone number - Account numbers (e.g., driver s license, financial) - Physical characteristics (e.g., face, eyes, fingerprints, handwriting) - Grades - Identification numbers (e.g., student ID, driver s license, IP address) - Medical records 7 What is the difference between privacy and security? > Privacy is concerned with enabling individuals to have say over how their personal information is collected, used, retained, and disclosed > Security is concerned with protecting information from inappropriate access, modification, or destruction > To achieve privacy, you must have security > Both security and privacy are business issues 8 Why does privacy matter in higher education? > An exceptional volume and variety of personal information (e.g., transcripts, financial aid, health centers, retail operations) > Increased complexity and oversight challenges in a decentralized environment > Subject to many privacy laws and regulations due to: - Breadth and nature of business operations - Faculty, staff, students, and alumni from many states and countries 9 3

145 2/27/2018 Challenges for higher education > Numerous stakeholders for privacy compliance responsibilities > Culture values the open exchange of information for scholarship and research > Information security or IT incorrectly bear much of the burden of compliance > Global constituents and community members mean expanded legal requirements > Variety of vendors and third-party service providers > Size and complexity of IT environments, including multiple applications and data stores holding PII 10 Impact of cybersecurity and information privacy requirements 11 Impacts of data breaches Damage to brand! Deceptive or unfair trade charges Regulator scrutiny Regulatory sanctions Negative publicity Damaged employee relationships Refusal to share personal information Damaged customer relationships Legal liability Fines 12 4

146 2/27/2018 Direct and indirect costs of a breach > Data breaches in higher education cost colleges an average of $246 per record a figure that calculates in the damage to the institution s reputation > The average per-record cost across all industries $221 > The average total breach cost to an organization in 2016 was $7.01 million Note: Figures per the 2016 Cost of Data Breach Study: Global Analysis conducted by the Ponemon Institute LLC 13 Causes of higher education breaches EDUCAUSE Data Source: EDUCAUSE ECAR Data Set 2013 Types of Data Breaches 2005 to Cybersecurity and information privacy requirements Numerous laws and regulations related to cybersecurity and information privacy potentially apply to higher education institutions, including: - Family Educational Rights and Privacy Act (FERPA) - Gramm-Leach-Bliley Act (GLBA) - Health Insurance Portability and Accountability Act (HIPAA) - Identity Theft Red Flags and Fair and Accurate Credit Transactions Act (FACTA) - State data breach laws - General Data Protection Rule (GDPR) 15 5