Resources

ACUA 2024 Award Winners and Board Members

Blue Logo for ACUA with the text Journal Articles

By C&U Journal Staff

Congratulations to the following 2024 award winners and new board members announced during AuditCon in Atlanta:

Outstanding Professional Contributions Award

John McDaniel is currently the Director of Internal Audit at the University of Alabama System and has 25 years of experience in higher education and academic medical center administration, compliance, and risk management. Since 2021, John has been a key member of the ACUA Professional Education Committee, contributing to the success of several AuditCon events, and currently serves as the Director of Audit Interactive. John also plays an active role on the ACUA Standards and Best Practices Committee, was instrumental in founding the ACUA Sideline Committee alongside other ACUA members and has published many articles in the ACUA journal and for other organizations. John is also a dedicated participant and leader in external Quality Assurance initiatives for fellow ACUA members and has served in leadership roles outside of ACUA.

Rising Star Awards

Jocelyn Edge joined the Duke University internal audit department in 2021 and has embraced the higher education industry. Jocelyn has already made significant contributions to ACUA by serving as presenter at several AuditCons. Serving on the Communications Committee, Jocelyn  supports social media content creation, design, posting and coordination with other committees. She took the initiative to standardize social media request processes to ensure individuals and committees have a clear path to promote ACUA activities and announcements. She continues to develop innovative ways to increase content posting to reach our members across several platforms and introducing video content to help engage members.

Erin Egan is the director of audit and advisory services for Rutgers University.Erin has been an active member of ACUA for the past ten years and was a member of the second cohort of the ACUA Leads program. Erin has served in a number of roles for ACUA over the years, including: Governmental Affairs committee co-chair, ACUA Journal article author, Conference speaker and proctor, and Mentor to other members. Erin has served as the director of the Auditing and Accounting Principles (AAP) sub-committee of the Standards and Best Practices committee, which has been focused on the changes to the IIA’s International Professional Practices Framework, specifically those to the new Global Internal Audit Standards.

Please make sure to congratulate our 2024 award winners and thank them for their outstanding work on behalf of ACUA and the profession!

New Board Members

The 2024-2025 ACUA Board of Directors officially assumed their new roles at AuditCon and thanked Melissa Hall, Emory University for her prior role as past-president. The 2024-2025 Board of Directors are: 

  • Laura Buchhorn, President, University of Texas at San Antonio
  • Nikki Pittman, Vice President, University of Alaska
  • Eulonda Whitmore, Secretary/Treasurer, Wayne State University
  • Marion Candrea, Immediate Past President, Boston University

ACUA thanked Deidre Melton for her past service as a board member and welcomed Amy Kozak in her new role. The Board Members-at-Large are:

  • Jana Clark, Kansas State University
  • Kara Kearney-Saylor, University of Buffalo
  • William Hancock, Jr., Auburn University
  • Andre’ McMillan, University of Delaware
  • Amy Kozak, University of California, Santa Cruz

ACUA committee chairs and sub-committee directors were also celebrated at AuditCon.

Research Security Resources and Best Practices

Blue Logo for ACUA with the text Journal Articles

As stewards of federal funding, institutions of higher education must play a role in protecting the security and integrity of the research enterprise. Maintaining an open and collaborative research environment is critical to fostering research discoveries and innovations that benefit the United States and the world. Simultaneously, this open environment must be balanced by guardrails that protect intellectual capital and prevent deceptive practices, foreign government influence, theft of research data, and unwanted knowledge transfer. Over the past few years, federal agencies have issued multiple guidance documents intended to support ongoing efforts to keep international research collaboration both open and secure.

Federal Agency Guidance

In December 2019, the National Science Foundation (NSF) released a report by the independent science advisory group JASON titled “Fundamental Research Security.” The report identified the need for a robust, coordinated approach to strengthen the integrity and security of the United States research enterprise by highlighting threats to basic research posed by foreign governments, which have taken actions that violate the principles of scientific ethics and research integrity. On January 14, 2021, the National Security Presidential Memorandum-33 (NSPM-33) was issued, which directs a national response intended to improve research security efforts at federal agencies. Approximately one year later, on January 4, 2022, the Office of Science and Technology Policy (OSTP) issued “Guidance for Implementing NSPM-33 on National Security Strategy for United States Government Supported Research and Development” (NSPM-33 Guidance). The NSPM-33 Guidance aims to clarify requirements for federally funded researchers, set best practices at federal agencies to strengthen research security, and offers direction on five major areas of research security addressed by NSPM-33: disclosure requirements and standardization, digital persistent identifiers, consequences for disclosure requirement violations, information sharing, and research security programs at federally funded research institutions.
In March 2023, OSTP requested public comment on the “DRAFT Research Security Programs Standard Requirement” (Draft Memorandum), prepared by the Interagency Working Group on Research Security Programs. The requirement applies to any research organization whose component parts receive at least $50 million in Federal science and engineering support annually in the aggregate. As of March 2024, the final research security program requirements have not been published. However, as per the Draft Memorandum, covered research organizations will need to certify they maintain a research security program which meets the requirements for foreign travel security, research security training, cybersecurity, and export control training. Additionally, they must:

  • Maintain a description of the finalized research security program made available on a publicly accessible website, with descriptions of each requirement.
  • Designate and provide contact information for a research security point of contact.
  • Maintain clear response procedures to address reported allegations of research security non-compliance.
  • Report incidents of research security violations to the federal awarding agency or agencies.
  • Establish or maintain international travel policies for covered individuals engaged in federally funded research and development (R&D) who are traveling internationally for organizational business, teaching, conference attendance, research purposes, or who receive offers of sponsored travel for research or professional purposes.
  • Implement research security training as a component of research security programs.
  • Implement baseline safeguarding protocols and procedures for information systems used to store, transmit, and conduct federally funded R&D.
  • Provide training to relevant personnel on requirements and processes for reviewing foreign sponsors, collaborators, and partnerships, and for ensuring compliance with Federal export control requirements and restricted entities lists.

The National Institute of Standards and Technology (NIST) released further guidance in August 2023 entitled “Safeguarding International Science Research Security Framework,” which establishes a set of recommended best practices and a methodology for implementing a risk-balanced, institutional research security program that addresses the requirements of NSPM-33. Additionally, the NSF has developed resources to enhance research security practices and implement research security provisions of the CHIPS and Science Act of 2022, including:

  • Prohibition of malign foreign government talent recruitment programs where, beginning in May 2024, investigators submitting a proposal for NSF funding will need to certify that they are not part of such a program and the proposing institution will need to certify that they have a means to assess faculty participation in malign foreign government talent recruitment programs.
  • The development of research security training modules for covered personnel (i.e., What is Research Security, Disclosure, Manage and Mitigate Risk, and International Collaboration research security training modules) currently available for the research community to use based on their needs.
  • Establishment of a research security and integrity information sharing and analysis organization called SECURE to be operational by the end of calendar year 2024 that will develop tools and provide information and services to the research community.
  • Establishment of Research on Research Security (RORS) program, where NSF seeks to fund research that will identify attributes that distinguish research security from research integrity, improve understanding of research security risks, provide insight into methods for identifying and preventing research security violations, and develop methods to assess the potential impact of research security threats on the U.S. economy, national security, and the research enterprise.
  • The requirement for institutions of higher education that receive NSF funding to report foreign financial transactions, including contracts and gifts, totaling over $50,000 per year from foreign sources associated with countries of concern. The first report is due July 31, 2024.
  • Prohibition of NSF funding to universities with Confucius Institutes, effective in 2025.

Research Security Best Practices

As research focused institutions of higher education await the final research security program requirements, institutions should assess their current processes against the research security provisions and guidelines outlined in the aforementioned documents and implement best practices to strengthen and protect the security and integrity of the research enterprise. The Subcommittee on Research Security under the National Science & Technology Council Joint Committee on the Research Environment recommends the following practices for research institutions to effectively address threats to research security and integrity:

  • Demonstrate robust leadership and oversight that conveys the importance of research security and integrity.
  • Ensure an organizational approach to research security where responsibilities for research security span across the organization.
  • Establish research security and integrity working groups and task forces to develop and implement policies and practices.
  • Establish and operate a comprehensive research security program that includes elements of cyber security, foreign travel security, insider threat awareness and education, and export control training.
  • Establish and administer organizational policies regarding conflicts of interest, conflicts of commitment, and disclosure.
  • Require disclosure to the organization of all information necessary to identify and assess potential conflicts of interest and commitment, including affiliations and employment with outside entities, other support and current or pending participation in, or applications to, programs sponsored by foreign governments, including foreign government-sponsored talent recruitment programs.
  • Ensure compliance with requirements for reporting foreign gifts and contracts.
  • Provide researchers with responsible conduct of research training.
  • Promote awareness of circumstances and behaviors that may pose risk to research security and integrity.
  • Establish procedures to monitor for noncompliance with organizational policies.
  • Establish a centralized review and approval process for evaluating formal research partnerships.
  • Establish a risk-based security process for foreign travel review and guidance.
  • Develop and deploy requirements for vetting and securely hosting foreign visitors.
  • Identify and implement measures to improve data security, internal breach prevention, and incident response processes.

Internal Audit Approach to Mitigate Research Security Risks

Internal audit functions within research focused institutions of higher education can help improve the organization’s research security posture by providing management and the board with independent and objective assurance on governance, risk management, and controls pertaining to research security. This includes assessing the overall effectiveness of the institution’s research security program to ensure compliance with all applicable federal laws, regulations, rules, and directives. Focus areas for internal audit may include:

  • Assessing organizational culture and tone at the top relative to research security priorities and directives.
  • Reviewing the results of risk assessments performed to assess the sensitivity of the institution’s research, including risks of theft, espionage, or foreign influence.
  • Evaluating the institution’s research security program against the NIST Safeguarding International Science Research Security Framework.
  • Comparing conflict of interest and commitment disclosures for key personnel to investigator certification questionnaire responses obtained during the proposal submission process to identify undisclosed appointments or affiliations with foreign institutions.
  • Assessing compliance with institutional policies (i.e., foreign travel, other support, export controls, visitors, intellectual property, or code of conduct).
  • Assessing compliance with institutional training requirements (i.e., conflict of interest and commitment, responsible conduct of research, export controls, electronic device security, research security, disclosure, risk mitigation, and international collaboration)
  • Conducting searches of open-source information to identify any key risk indicators for research associate appointments, including participation in a foreign talent or malign foreign talent recruitment program.
  • Reviewing research data handling, storage, and protection practices to ensure compliance with encryption protocols, data protection regulations, and privacy requirements.
  • Assessing compliance with reporting requirements for foreign gifts and contracts.
  • Evaluating the sufficiency of the institution’s incident response plan, communication protocols, and recovery procedures.

Council on Governmental Relations

In addition to guidance provided by federal agencies, the Council on Governmental Relations (COGR), an association of research universities, affiliated medical centers, and independent research institutes, has developed a Science and Security webpage to provide resources and analysis to assist member institutions in navigating requirements in this area. The webpage provides links to statues, regulations, and other sources of legal requirements related to science and security, including links to federal research agency policy and guidance. Two recently updated COGR publications contain useful information regarding federal research security requirements:

Final Thought

As the timeline for issuance of final research security program requirements is uncertain, research focused institutions of higher education should continue to engage with institutional leaders to determine how the new requirements may impact current processes and procedures and ensure appropriate steps are taken to protect the security and integrity of the research they conduct.