Resources
ACUA 2024 Award Winners and Board Members
By C&U Journal Staff
Congratulations to the following 2024 award winners and new board members announced during AuditCon in Atlanta:
Outstanding Professional Contributions Award
John McDaniel is currently the Director of Internal Audit at the University of Alabama System and has 25 years of experience in higher education and academic medical center administration, compliance, and risk management. Since 2021, John has been a key member of the ACUA Professional Education Committee, contributing to the success of several AuditCon events, and currently serves as the Director of Audit Interactive. John also plays an active role on the ACUA Standards and Best Practices Committee, was instrumental in founding the ACUA Sideline Committee alongside other ACUA members and has published many articles in the ACUA journal and for other organizations. John is also a dedicated participant and leader in external Quality Assurance initiatives for fellow ACUA members and has served in leadership roles outside of ACUA.
Rising Star Awards
Jocelyn Edge joined the Duke University internal audit department in 2021 and has embraced the higher education industry. Jocelyn has already made significant contributions to ACUA by serving as presenter at several AuditCons. Serving on the Communications Committee, Jocelyn supports social media content creation, design, posting and coordination with other committees. She took the initiative to standardize social media request processes to ensure individuals and committees have a clear path to promote ACUA activities and announcements. She continues to develop innovative ways to increase content posting to reach our members across several platforms and introducing video content to help engage members.
Erin Egan is the director of audit and advisory services for Rutgers University.Erin has been an active member of ACUA for the past ten years and was a member of the second cohort of the ACUA Leads program. Erin has served in a number of roles for ACUA over the years, including: Governmental Affairs committee co-chair, ACUA Journal article author, Conference speaker and proctor, and Mentor to other members. Erin has served as the director of the Auditing and Accounting Principles (AAP) sub-committee of the Standards and Best Practices committee, which has been focused on the changes to the IIA’s International Professional Practices Framework, specifically those to the new Global Internal Audit Standards.
Please make sure to congratulate our 2024 award winners and thank them for their outstanding work on behalf of ACUA and the profession!
New Board Members
The 2024-2025 ACUA Board of Directors officially assumed their new roles at AuditCon and thanked Melissa Hall, Emory University for her prior role as past-president. The 2024-2025 Board of Directors are:
- Laura Buchhorn, President, University of Texas at San Antonio
- Nikki Pittman, Vice President, University of Alaska
- Eulonda Whitmore, Secretary/Treasurer, Wayne State University
- Marion Candrea, Immediate Past President, Boston University
ACUA thanked Deidre Melton for her past service as a board member and welcomed Amy Kozak in her new role. The Board Members-at-Large are:
- Jana Clark, Kansas State University
- Kara Kearney-Saylor, University of Buffalo
- William Hancock, Jr., Auburn University
- Andre’ McMillan, University of Delaware
- Amy Kozak, University of California, Santa Cruz
ACUA committee chairs and sub-committee directors were also celebrated at AuditCon.
Lab Safety Internal Auditing: Protecting Students, Researchers, and The Community
Research Papers – An Auditor’s Guide to Documentation Expectations for Sponsored Activities
Research Security-What Auditors Must Know in 2022
Conflicts of Interest and Commitment: Risk and Internal Audit Considerations to Elevate Community Engagement.
Developing an Audit of Research Activities Leveraging Results of OIG and Single Audits
Research Security Resources and Best Practices
As stewards of federal funding, institutions of higher education must play a role in protecting the security and integrity of the research enterprise. Maintaining an open and collaborative research environment is critical to fostering research discoveries and innovations that benefit the United States and the world. Simultaneously, this open environment must be balanced by guardrails that protect intellectual capital and prevent deceptive practices, foreign government influence, theft of research data, and unwanted knowledge transfer. Over the past few years, federal agencies have issued multiple guidance documents intended to support ongoing efforts to keep international research collaboration both open and secure.
Federal Agency Guidance
In December 2019, the National Science Foundation (NSF) released a report by the independent science advisory group JASON titled “Fundamental Research Security.” The report identified the need for a robust, coordinated approach to strengthen the integrity and security of the United States research enterprise by highlighting threats to basic research posed by foreign governments, which have taken actions that violate the principles of scientific ethics and research integrity. On January 14, 2021, the National Security Presidential Memorandum-33 (NSPM-33) was issued, which directs a national response intended to improve research security efforts at federal agencies. Approximately one year later, on January 4, 2022, the Office of Science and Technology Policy (OSTP) issued “Guidance for Implementing NSPM-33 on National Security Strategy for United States Government Supported Research and Development” (NSPM-33 Guidance). The NSPM-33 Guidance aims to clarify requirements for federally funded researchers, set best practices at federal agencies to strengthen research security, and offers direction on five major areas of research security addressed by NSPM-33: disclosure requirements and standardization, digital persistent identifiers, consequences for disclosure requirement violations, information sharing, and research security programs at federally funded research institutions.
In March 2023, OSTP requested public comment on the “DRAFT Research Security Programs Standard Requirement” (Draft Memorandum), prepared by the Interagency Working Group on Research Security Programs. The requirement applies to any research organization whose component parts receive at least $50 million in Federal science and engineering support annually in the aggregate. As of March 2024, the final research security program requirements have not been published. However, as per the Draft Memorandum, covered research organizations will need to certify they maintain a research security program which meets the requirements for foreign travel security, research security training, cybersecurity, and export control training. Additionally, they must:
- Maintain a description of the finalized research security program made available on a publicly accessible website, with descriptions of each requirement.
- Designate and provide contact information for a research security point of contact.
- Maintain clear response procedures to address reported allegations of research security non-compliance.
- Report incidents of research security violations to the federal awarding agency or agencies.
- Establish or maintain international travel policies for covered individuals engaged in federally funded research and development (R&D) who are traveling internationally for organizational business, teaching, conference attendance, research purposes, or who receive offers of sponsored travel for research or professional purposes.
- Implement research security training as a component of research security programs.
- Implement baseline safeguarding protocols and procedures for information systems used to store, transmit, and conduct federally funded R&D.
- Provide training to relevant personnel on requirements and processes for reviewing foreign sponsors, collaborators, and partnerships, and for ensuring compliance with Federal export control requirements and restricted entities lists.
The National Institute of Standards and Technology (NIST) released further guidance in August 2023 entitled “Safeguarding International Science Research Security Framework,” which establishes a set of recommended best practices and a methodology for implementing a risk-balanced, institutional research security program that addresses the requirements of NSPM-33. Additionally, the NSF has developed resources to enhance research security practices and implement research security provisions of the CHIPS and Science Act of 2022, including:
- Prohibition of malign foreign government talent recruitment programs where, beginning in May 2024, investigators submitting a proposal for NSF funding will need to certify that they are not part of such a program and the proposing institution will need to certify that they have a means to assess faculty participation in malign foreign government talent recruitment programs.
- The development of research security training modules for covered personnel (i.e., What is Research Security, Disclosure, Manage and Mitigate Risk, and International Collaboration research security training modules) currently available for the research community to use based on their needs.
- Establishment of a research security and integrity information sharing and analysis organization called SECURE to be operational by the end of calendar year 2024 that will develop tools and provide information and services to the research community.
- Establishment of Research on Research Security (RORS) program, where NSF seeks to fund research that will identify attributes that distinguish research security from research integrity, improve understanding of research security risks, provide insight into methods for identifying and preventing research security violations, and develop methods to assess the potential impact of research security threats on the U.S. economy, national security, and the research enterprise.
- The requirement for institutions of higher education that receive NSF funding to report foreign financial transactions, including contracts and gifts, totaling over $50,000 per year from foreign sources associated with countries of concern. The first report is due July 31, 2024.
- Prohibition of NSF funding to universities with Confucius Institutes, effective in 2025.
Research Security Best Practices
As research focused institutions of higher education await the final research security program requirements, institutions should assess their current processes against the research security provisions and guidelines outlined in the aforementioned documents and implement best practices to strengthen and protect the security and integrity of the research enterprise. The Subcommittee on Research Security under the National Science & Technology Council Joint Committee on the Research Environment recommends the following practices for research institutions to effectively address threats to research security and integrity:
- Demonstrate robust leadership and oversight that conveys the importance of research security and integrity.
- Ensure an organizational approach to research security where responsibilities for research security span across the organization.
- Establish research security and integrity working groups and task forces to develop and implement policies and practices.
- Establish and operate a comprehensive research security program that includes elements of cyber security, foreign travel security, insider threat awareness and education, and export control training.
- Establish and administer organizational policies regarding conflicts of interest, conflicts of commitment, and disclosure.
- Require disclosure to the organization of all information necessary to identify and assess potential conflicts of interest and commitment, including affiliations and employment with outside entities, other support and current or pending participation in, or applications to, programs sponsored by foreign governments, including foreign government-sponsored talent recruitment programs.
- Ensure compliance with requirements for reporting foreign gifts and contracts.
- Provide researchers with responsible conduct of research training.
- Promote awareness of circumstances and behaviors that may pose risk to research security and integrity.
- Establish procedures to monitor for noncompliance with organizational policies.
- Establish a centralized review and approval process for evaluating formal research partnerships.
- Establish a risk-based security process for foreign travel review and guidance.
- Develop and deploy requirements for vetting and securely hosting foreign visitors.
- Identify and implement measures to improve data security, internal breach prevention, and incident response processes.
Internal Audit Approach to Mitigate Research Security Risks
Internal audit functions within research focused institutions of higher education can help improve the organization’s research security posture by providing management and the board with independent and objective assurance on governance, risk management, and controls pertaining to research security. This includes assessing the overall effectiveness of the institution’s research security program to ensure compliance with all applicable federal laws, regulations, rules, and directives. Focus areas for internal audit may include:
- Assessing organizational culture and tone at the top relative to research security priorities and directives.
- Reviewing the results of risk assessments performed to assess the sensitivity of the institution’s research, including risks of theft, espionage, or foreign influence.
- Evaluating the institution’s research security program against the NIST Safeguarding International Science Research Security Framework.
- Comparing conflict of interest and commitment disclosures for key personnel to investigator certification questionnaire responses obtained during the proposal submission process to identify undisclosed appointments or affiliations with foreign institutions.
- Assessing compliance with institutional policies (i.e., foreign travel, other support, export controls, visitors, intellectual property, or code of conduct).
- Assessing compliance with institutional training requirements (i.e., conflict of interest and commitment, responsible conduct of research, export controls, electronic device security, research security, disclosure, risk mitigation, and international collaboration)
- Conducting searches of open-source information to identify any key risk indicators for research associate appointments, including participation in a foreign talent or malign foreign talent recruitment program.
- Reviewing research data handling, storage, and protection practices to ensure compliance with encryption protocols, data protection regulations, and privacy requirements.
- Assessing compliance with reporting requirements for foreign gifts and contracts.
- Evaluating the sufficiency of the institution’s incident response plan, communication protocols, and recovery procedures.
Council on Governmental Relations
In addition to guidance provided by federal agencies, the Council on Governmental Relations (COGR), an association of research universities, affiliated medical centers, and independent research institutes, has developed a Science and Security webpage to provide resources and analysis to assist member institutions in navigating requirements in this area. The webpage provides links to statues, regulations, and other sources of legal requirements related to science and security, including links to federal research agency policy and guidance. Two recently updated COGR publications contain useful information regarding federal research security requirements:
- “Quick Reference Table of Current & Upcoming Federal Research Security Requirements”
- “COGR Matrix of Science & Security Laws, Regulations, and Policies”
Final Thought
As the timeline for issuance of final research security program requirements is uncertain, research focused institutions of higher education should continue to engage with institutional leaders to determine how the new requirements may impact current processes and procedures and ensure appropriate steps are taken to protect the security and integrity of the research they conduct.
Promising Practices in Evaluating Federally Funded Award Portfolios
The mission of the National Science Foundation (NSF) Office of Inspector General (OIG) is to provide independent oversight of NSF to improve the effectiveness, efficiency, and economy of its programs and operations, and to prevent and detect fraud, waste, and abuse. That mission extends to overseeing the 11,000 grants, cooperative agreements, and contracts that NSF awards annually to more than 2,000 colleges, universities, and other institutions. These awards fund basic and applied research; support science, technology, engineering, and mathematics (STEM) education; and help strengthen the U.S. research enterprise.
We conduct audits and reviews of NSF’s award recipient organizations to ensure they follow applicable federal regulations and NSF terms and conditions, and that costs claimed on NSF awards are allowable, reasonable, allocable, and necessary to complete award objectives. Through this work we’ve had the opportunity to identify areas of elevated risk that are common to managing federal awards, as well as trends and practices that can help enhance stewardship of federal funds.
A Resource for College and University Auditors
We regularly contract with independent public accounting firms to conduct audits of NSF award recipients on our behalf. In 2022, we published a capstone report, Promising Practices for NSF Award Management, which cataloged our contractor’s observations of award recipients’ control weaknesses and strengths over a 3-year period. The report includes the 5 most frequent finding categories we identified, 46 distinct examples of our most common findings, and promising practices we observed to strengthen controls within those areas. We believe this report will provide a strong foundation for any college or university auditor to develop a risk assessment or audit program related to their institution’s federally funded award portfolio.
Common Finding Categories
The most common audit finding categories at the institutions we audited included:
- Unallowable expenses ― We identified costs related to unallowable travel, participant support, salary, material/supply, fringe benefit, publication, consultant, and subaward costs charged to NSF awards.
- Inappropriately applied indirect costs ― Recipients did not always apply indirect costs to the appropriate Modified Total Direct Cost base and did not apply indirect costs at the rates approved within the recipient’s Negotiated Indirect Cost Rate Agreements.
- Inadequately supported expenses ― Recipients did not always maintain sufficient evidence to support costs claimed in NSF’s Award Cash Management Service, costs billed by internal service providers, and travel, salary, and consultant costs charged to NSF awards were allowable per federal and NSF regulations.
- Inappropriately allocated expenses ― We identified instances where recipients inappropriately allocated travel, materials and supplies, publication, and student stipend or tuition costs to NSF awards.
- Non-compliance with policies and procedures ― Recipients did not always comply with, or did not document their compliance with, organization and NSF program-specific policies and procedures.
Promising Practices
The report identified the following promising practices that could help decrease the likelihood of recipient non-compliance with federal and NSF criteria, as well as improve the stewardship of federal funds:
- Continually monitor and verify the allowability of high-risk expenses. Recipients were less likely to charge unallowable costs to NSF awards if they implemented processes for the continuous monitoring of high-risk expenses, rather than waiting until after the award expired to review the allowability of the expenses.
- Strengthen controls over applying indirect cost rates. For example, recipients could implement controls to identify when indirect cost rates change between the proposal submission date and the award date and establish guidance identifying the appropriate indirect cost rate for sponsored projects awarded during provisional rate periods.
- Ensure recipients create and maintain sufficient, appropriate documentation. Recipients with more robust requirements for documentation creation and retention were more likely to maintain sufficient, appropriate documentation to support that expenses charged to NSF awards were reasonable, allocable, and allowable.
- Document and justify reasonable allocation methodologies. Recipients that require staff to document and justify reasonable allocation methodologies when purchasing goods and services were more likely to maintain sufficient documentation to support that they had allocated sampled expenses to NSF awards consistent with the relative benefits received by those awards.
- Regularly review and update grant management policies and procedures. Recipients would have benefited from reviewing and updating their grant management practices on a regular basis. Many noted that their policies did not accurately reflect their current procedures, or they were already in the process of updating the cited policies and procedures.
We hope our Promising Practices for NSF Award Management report will serve as a valuable tool as you evaluate your institution’s federally funded award portfolio. If you have questions, please feel free to reach out to us at OIGPublicAffairs@nsf.gov. Our audit reports of NSF funded institutions can be found on our website.
To report research misconduct or other forms of fraud, waste, abuse, or whistleblower reprisal, please contact us by:
- Web: oig.nsf.gov/contact/hotline
- Anonymous Hotline: 1.800.428.2189
- Mail: 2415 Eisenhower Avenue, Alexandria, VA 22314 ATTN: OIG HOTLINE