Resources

By Monika Cami, Jackie Kimmel, and Jennifer Vitale

Editor’s Note: This article is reprinted from NCURA Magazine, 56(5), published by the National Council of University Research Administrations. It is used with permission from the publisher. Consider sharing this article with your research team and learn about common audit findings in research from our ACUA member authors.

Research universities and institutions are governed by strict regulations. Non-compliance can lead to severe monetary penalties, reputational damage, and impacts on funding. Therefore, it is crucial to proactively manage and mitigate risks. In this landscape, where adherence to complex regulations and standards is non-negotiable, the synergy between internal audit and research administration holds the promise of enhancing compliance. By jointly leveraging their expertise, maintaining open communication, and adopting a unified strategy towards risk management, these partnerships not only foster a culture of compliance and accountability, but also contribute to the overall integrity and efficacy of the research enterprise and continuous improvement across the institution.

Both internal audit and research administration share the common goal of compliance and risk mitigation. By working in tandem, they can ensure that their efforts are complementary and more effective. This article offers a few strategies for fostering productive collaboration with internal audit and provides a synopsis of common outcomes and recommendations. While not an all-inclusive list, we hope these insights will be beneficial when conducting self-assessments of your research operations or as you prepare for a future internal audit of research-related processes.

Tips for working with your internal audit team

• Be Honest and Open: The audit will be more valuable and more efficient if you are (e.g., if you’re asked for a policy/procedure document and you don’t have one, just say you don’t have one, don’t try to create one at the last minute).
• Share Your Knowledge:  You are the expert in your area; auditors are experts on risks and internal controls; help us understand your environment, what is working well and what are your concerns. Share this with your team as well. Prepare them for the audit and set expectations for transparency.
• Be Responsive:  The more responsive you are, the faster we can be out of your hair; if you’re busy and can’t get to us for a few days, respond and let us know when to expect a response so we can plan.
• Assign a Lead:  Assign someone to coordinate and facilitate with the auditors, get status updates from the audit team, and help remove obstacles.
• Ask Questions:  We want you to be comfortable and work with us; if you’re curious or confused – just ask; we’ll try not to use too much audit jargon, but if we slip – request clarification.
• Maintain A Positive Attitude:  Be receptive to recommendations; this is an exercise in continuous improvement; it is faster to talk about/work toward fixing something or making it better than it is to be defensive, blame others, explain all the reasons it is the way it is, refuse, etc. Focus on the solutions, not the problem itself.
• Collaborate:  We may share a recommendation that doesn’t work in your environment – work with us, suggest alternatives – we can often address the same risk in multiple ways; we want to agree on a solution that makes sense for you.
• Make a Plan:  Agree on how we will share documents/information (Dropbox, shared drive), schedule regular status check-ins, etc.
• Provide Access:  Facilitate access to space, intranets, data, etc.; help us schedule interviews, tours, and walkthroughs.
• Prepare for Future Audits:
• Address the findings/recommendations from your previous audit
• Pay particular attention to:
• Good housekeeping of documentation
• Monitoring and oversight
• Governance
• Maintain an Ongoing Relationship:  Reach out when you have questions and be proactive.
• Provide Evidence: “Show me” is going to be a common phrase. We have to ‘trust but verify’, so help us ‘see’ the internal controls.
• Don’t Be Afraid: Audits are collaborative, not punitive, processes.

Common Internal Audit Findings: Missing or ineffective controls

Regardless of the industry or type of business, or even the subject matter of an audit, internal audit findings are very often rooted in one of these common problems: 

1. A lack of written policies and procedures
2. Having unclear roles and responsibilities
3. Not enough or ineffective oversight processes

A house made of strong internal controls requires good housekeeping. Policies and procedures (big and small) should be documented and reviewed from time to time. The foundation of any control is having a clear picture of what you do, how you do it, and who is doing it. Writing this all down for all phases and levels of research administration and clearly understanding who is responsible for each part is packed with benefits such as:

• Faster and smoother onboarding of new employees.
• Less disruption when key employees leave (either planned or unexpectedly).
• Less duplication of efforts (or data).
• Less loss of institutional knowledge from long-term employees who leave (and take their knowledge with them).
• Greater productivity when everyone shares the same understanding of a process.
• Better forecasting of the upstream and downstream effects of a proposed process or business change.
• More effective and efficient oversight activities by knowing where things can go wrong and identifying easier ways to measure/monitor for them.
• Faster (and more employee-friendly) adaptation to change.
• Better protection of your data when you know where it lives and who has access to it.
• Clearer compliance with laws and regulations.

Other common audit findings include: 

Onboarding/Offboarding Processes: Lack of robust onboarding and offboarding activities, unclear roles and responsibilities, inappropriately granting or removing access (physical and system), no documentation.   Data and Intellectual Property Protections: Inadequate data management practices, including insufficient data security, improper handling of confidential information, and failure to back up research data. Failure to maintain effective application controls, encryption, authentication, backups, intrusion detection, cloud security controls. Insufficient reaction time to intrusions or business disruptions.   Expense Approval Processes: Lack of expense support, non-compliance with procurement policies, lack of separation of duties, lack of proper approval, unauthorized delegation of approval.   Grant Sponsor Reporting: Late or incomplete/inaccurate reporting. Lack of documentation around sponsor communications. Failure to disclose inventions to the sponsoring agency or institution as required by the award and institutional policy.   Financial Monitoring: Lack of expense reconciliations, inadequate budgeting, unjustified budget or cost transfers. Improper cost sharing allocations. Indirect Cost Calculations: Incorrect indirect cost calculations, lack of support or justification for the calculations.   Unallowable Direct Charges: Using grant funds for purposes not directly related to the research project, such as unrelated travel or personal purchases. Lack of justification or support for the charges. Subrecipient Monitoring: Lack of oversight over subawards, inadequate (undocumented) assurance that the subrecipient is compliant with funding terms and conditions.

Record Retention: Lack of expectation for retention of: proposal, pre-award, and post-award communications; budget and financial records; research data, results, and analysis; laboratory notebooks or research journals; documentation of materials and methods used in research; publication and presentations resulting from the research; intellectual property disclosures or patents; subrecipient monitoring communications and reviews.   Asset Management: Insufficient equipment or inventory tracking processes. Unauthorized relocation of sponsor-owned equipment. Improperly secured sponsor-owned equipment. Improper disposal. Management of contracts and other agreements: Lack of timely review, unclear ownership, lack of termination and change notice requirements, missing other components (right to audit, arbitration) required by general counsel.   Regulatory Compliance: Unidentified or non-compliant export controls: failure to update Technology Control Plans (TCP); failure to report international travel.   Training: Failure to complete Responsible Conduct of Research (RCR) Training, purchasing and purchasing card training, expense report training. Failure to track training completion and maintain training records.   Conflict of Interest: Failure to disclose, review, manage, or report financial conflicts of interest that may affect research integrity. Failure by management to monitor the conflict reporting process.   Confidentiality and Acceptable Use Policies: Failure to execute nondisclosure/confidentiality agreements, materials transfer agreements, data use agreements.

Conclusion

Whether you are grappling with complex decisions, developing new processes, or simply looking for guidance or comfort that your operations are on the right track, do not hesitate to connect with the internal audit team at your institution. They are there to serve as a resource for you. By reaching out to internal audit, not only will you benefit from independent and professional advice, but you will also be taking proactive steps towards strengthening department operations and research practices.

Through a collaborative approach, we aim to identify opportunities for improvement, enhance risk management, and ensure effective controls are in place. Remember, by involving us early in your planning and decision-making processes, we can help you reduce or mitigate risks before they become issues and support you in achieving your objectives more efficiently and effectively.

Albert Einstein said, “I have no special talents. I am only passionately curious.” The next time you work with an internal auditor, remember they are just passionately curious and will ask many questions. It is through our curiosity and a desire to learn more about your operations that we often uncover opportunities for enhancing the control environment. In essence, consider internal audit as a resourceful ally within the organization. Whenever you are in doubt or in need of a fresh perspective, reach out; let’s work together to bring out the best in our operations and institutions.