The Internal Audit Department of the University of Kentucky, with the assistance of the Director of the Von Allmen School of Accountancy, recently conducted a survey of directors, assistant directors, and other officers of departments of research integrity from 52 Research One institutions in order to answer the following questions:

1. How are Offices of Research Integrity (ORIs) and Institutional Review Boards (IRBs) structured within their respective institutions?

2. To what extent are external IRBs or central IRBs utilized?

3. Should research projects be evaluated internally or externally?

4. How are ORIs and IRBs planning to accommodate the new Common Rule Changes?

The answers to these and other questions should assist internal auditors in determining the risks of noncompliance and the areas of greatest audit need.
 

MAJOR CHANGES TO COMMON RULE

1. Consent forms must be characterized by greater clarity, focus, and promote the research subjects’ understanding of the project.
2. Researchers have the option of using broad consent for secondary research that uses identifiable private information and identifiable biospecimens.
3. Establishes new exempt categories of research projects that are low risk.
4. Requires institutions to have a single IRB for evaluating multisite research or documentation when the single IRB is not appropriate (effective January 20, 2020).
5. Eliminates the need for a continuing review under certain circumstances.
6. Some clinical trials must post the consent form online.
7. Requires documentation of reliance arrangements with non-institutional IRBs.

• Validate adequacy of consent forms, which are paramount to the protection of research subjects.
• Verify that their institutions are preparing to meet the new single IRB requirements for 2020.
• Verify that their institutions are documenting the reasons for not using the single IRB or the reliance arrangement with non-institutional IRBs.
• Verify other requirements of the Common Rule such as when consent forms must be posted online

Background:

Survey Procedures:

A cover letter and attached survey was sent to several individuals at 52 institutions by email. The cover letter stated that the potential research subjects would be contacted by phone for an interview. Shortly after emailing the survey to these persons, phone calls were made to initiate participation in the survey. Some individuals participated in the phone survey; whereas, others returned their responses back by email. Regardless of the response mechanism, the research subjects were told that the survey should only last from 10 to 15 minutes. The survey resulted in 20 responses from 19 institutions.

Problems Encountered:

Obtaining accurate results from the survey was hampered by the infrastructure and complexity differences of the responding institutions. For instance, many IRBs dealt with medical or clinical studies which demanded much different processes than others where behavioral studies were their primary focus. Behavioral studies were mostly done internally, whereas many medical studies might be outsourced. Differences in the size of the institutions also added to the complexity and forced the researchers to clarify many of the survey’s questions. For example, the approximate number of active protocols in these institutions varied from very small (e.g., under 500) to very large (e.g., over 5,000). Finally, the definition of external IRBs became problematic. Some respondents defined external IRBs as commercial entities. Others realized that some external IRBs could also include academic or other institutions. Thus, answering questions regarding the survey quickly became a two-way communication process to clarify questions that could only be answered in conjunction with these variables.

Respondents to the survey were also allowed to skip certain questions. Thus, some questions went unanswered by some respondents.

SURVEY PARTICULARS

The survey consisted of the following ten questions that were usually asked and answered in sequence:
The survey consisted of the following ten questions that were usually asked and answered in sequence:
1.    Does your organization use a central IRB or local IRBs at division or unit level?
2.    Does your organization use an external (external to your organization) IRB or internal IRBs at division or unit level?
3.    How many active / current protocols do you have in your IRB regarding research with human subjects?
4.    When would you obtain the services of a Central (external) IRB?
5.    What is your average turnaround time to approve a project?
6.    If you use a central IRB, what is the percentage of projects sent out to your central (external) IRB? 
7a. What is your reaction to the new requirements regarding the new Common Rule as published on
January 19, 2017?
7b. Do you anticipate any changes to the Common Rule in addition to the preliminary changes as noted in question 7a?
8.    Do you anticipate an increase or decrease in costs in maintaining compliance with federal regulations? Can you give a percent change in cost?

Results:

The survey results as shown in Table I and Chart I demonstrate the diversity of institutions, ORIs and IRBs. As can be surmised from the data, the survey participants oversee a range of very small to large research projects. The number of protocols ranged from 300 to over 6,000, which suggests the differing amounts of resources that might be needed to audit different institutions. Obviously, audit departments at larger universities that receive major amounts of research funds would be more challenged in audit coverage than departments at smaller institutions.

The next area that might interest internal auditors is the area of efficiency and effectiveness. Based on the survey results, a full review for a project might take about 30 days, with some outliers whose review time could take up to 335 days.

The risk to the human subjects usually dictates the category of approval needed. For instance, High Risk research is usually slated for full review. Some projects that are less risky may be approved by an IRB using an expedited review. Finally, projects of the lowest risk are usually exempt from the former two categories of review. However, even exempt research must be approved by the ORI/IRB representative at most institutions. And if research is sponsored by private or non-federal entities, the commercial (external) IRB might be used to review and approve these standardized and highly structured projects.

Review time of a project submitted to IRB varied from institution to institution. A few research subjects did not provide enough information on the possible review time for expedited or exempt reviews, but the same respondents suggested that these reviews took less time. For example, for one institution, based on the data above, an exempt review might be performed on a submitted project on the same day.

In addition, the status of adopting the new single IRB requirement is affected by the infrastructure of each institution. Some schools are better prepared to adopt the single IRB approach than others. If an institution’s research review process is very centralized, then the transition toward a single IRB is more easily accomplished. For others, not so. Some respondents stated that they will resist the adoption of a single IRB.

One area in which all respondents agree is that their procedures are dictated by not only federal regulations but by internal university policies which may be stricter than the federal requirements. Consequently, internal auditors must be cognizant of not only federal rules but also university policies and procedures.

Conclusion:

Internal audit departments must meet the growing needs of their respective institutions. In order to respond to that need, auditors must include compliance testing in their respective audit plans. For auditing aspects of the Common Rule, internal auditors must perform a complete analysis of the magnitude of their institutions’ research endeavors and types of research that their schools perform. For example, risk is dependent upon the amount of research, the sponsors for that research, and the types of research performed. Institutions that host major federal research projects that are subject to the Common Rule are inherently riskier regarding compliance adherence than institutions that perform mainly privately funded projects or projects sponsored by state governments/agencies. Some federal sponsors have not adopted the Common Rule so their grants are not subject to it. Thus, these grants would not reflect the same risks as those having to conform to the Common Rule Common Rule adherence testing is one of many areas that should be in internal audit plans for many institutions. The areas of audit are as follows:

1. Common Rule compliance
2. Efficiency and effectiveness of Full, Expedited, and Exempt Reviews
3. Adherence to IRB approval protocols
4. Compliance with federal, state, and university regulations

Regardless of the challenges in learning new disciplines, internal auditors are obligated to learn new information and perform the necessary audit steps to keep their organizations secure.

References
Available upon request. Please contact the ACUA Journal Editor at rrichard@westga.edu