- Explanation of Material Transmitted: This revised chapter outlines responsibilities for assisting the Department of Health and Human Services (HHS) Office of Inspector General (OIG), and Government Accountability Office (GAO) program with Audit Reviews conducted at the National Institutes of Health (NIH), and for responding to, and taking corrective action on, OIG and GAO program audit findings and recommendations. Included in the revision are updates to responsibilities for the Office of Management Assessment (OMA) and Office of Science Policy (OSP), website references, Glossary of Terms Appendix A, Sharing of Sensitive Information Appendix B, and a new Appendix C outlining the audit lifecycle.
Please refer to NIH Manual 1753, Audits and Investigations of Contractors and Grantees by Outside Organizations, to review NIH’s responsibilities with processing audit reports of contractors and grantees distributed by the OIG.
Remove: NIH Manual Chapter 1752, dated 09/30/2016
Insert: NIH Manual Chapter 1752, dated 11/22/2021
PLEASE NOTE: For information on:
Contents of this chapter, contact the issuing office listed above.
NIH Policy Manual, contact the Division of Compliance Management, Office of Management Assessment (OMA) at 301-496-4606, firstname.lastname@example.org or refer to URL: https://oma.od.nih.gov/DMS/Pages/Manual-Chapters.aspx
This manual chapter established the policies, procedures, and guidelines for supporting outside Audit Reviews and follow-up activities conducted at NIH by the Department of Health and Human Services (HHS) Office of Inspector General (OIG), and Government Accountability Office (GAO); and NIH Management Officials’ responsibilities for responding to and taking corrective actions on OIG and GAO audit findings and recommendations. For reference, Appendix A contains definitions of relevant terms used in this Manual Chapter and the audit process. Appendix B contains guidelines for sharing sensitive information with auditors. Appendix C contains pertinent information on the Audit Lifecycle.
This chapter also establishes the response criteria and time frames for NIH Management Officials for responding to OIG and GAO audit findings and recommendations. Time frames may vary depending on the topic and complexity of the OIG or GAO Review.
The policy in this chapter applies to all NIH Institutes, Centers, and Offices within the Office of the Director (ICOs) and all personnel, including employees, contractors, volunteers, fellows, trainees, and interns (referred to here as “staff”).
This chapter does not apply to reviews initiated by the OIG Office of Investigations or the GAO Forensic Audits and Special Investigations team, which are initiated under different authorities than the reviews referred to in this chapter.
NIH Delegation of Authority, General Administration: No. 34
- 5 United States Code (U.S.C.) App., Inspector General Act of 1978, as amended
- 31 USC § 711 - 712, 717, 719, 720 General Authority, Comptroller General Reports, as amended
- 31 USC § 3529, Requests for decisions of the Comptroller General, as amended
- OMB Circular No. A-123: Management’s Responsibility for Enterprise Risk Management and Internal Control, Revised July 2016
- OMB Circular A-50 Audit Follow-up
- The Good Accounting Obligation in Government Act (GAO-IG Act; Public Law 115- 414), January 2019
- Government Accountability Office, GAO-19-55G, Revised, Agency Protocols, January 2019
- Government Accountability Standards for Internal Control in the Federal Government, Revised September 2014
- GAO Open Recommendations Database, Updated Periodically
- NIH Manual Chapter 1743, Managing Federal Records, Appendix 4, Records Management Resources
Outside Audit Reviews are an important component of the oversight of internal programs and operations. These Audit Reviews help the organization identify, prevent, and mitigate fraud, waste, abuse, mismanagement, and conflicts of interest. The prompt resolution and development of corrective actions to address audit findings and recommendations are an integral part of good management. Corrective actions taken by NIH management to resolve findings and recommendations are essential to improving the effectiveness and efficiency of NIH operations. The audit liaison function at NIH for OIG and GAO Audit Reviews resides within the Office of the Director (OD), Office of Management (OM), Office of Management Assessment (OMA).
The OIG is mandated to protect the integrity of HHS programs, as well as the health and welfare of the beneficiaries of those programs. The OIG has the responsibility to report program and management problems, and make recommendations to correct them, both to the Secretary of HHS and to Congress. In order to carry out these responsibilities, OIG conducts audits, investigations, and inspections.
At the request of Congress and, under special circumstances, on their own initiative, GAO provides oversight of Federal programs and insight into ways to make government more efficient, effective, ethical, and equitable. GAO reports, testimonies, and legal decisions are reported to Congress. The GAO also issues guidance on the development and use of internal or management controls to ensure effective and efficient government operations.
The NIH policy outlines general principles and protocols governing NIH’s relationships with Outside Audit Reviews. The policy, as well as numerous statutory laws and obligations, requires management officials to promptly comply with OIG and GAO audit requests for access to the agency’s records for evidence and examination of virtually every federal program, activity, and policy.
The statutory requirements help ensure the consistency, fairness, and effectiveness of interactions between NIH and audit agencies. These activities include scheduling timely entrance and exit conferences, providing information and data throughout the audit lifecycle, preparing prompt, responsive, and constructive comments to confirm the critical facts, and finally to address corrective actions, as applicable, in response to OIG and GAO audit report findings and recommendations. The NIH considers Audit Follow-up to be an integral part of good management and a responsibility shared by NIH staff. It is NIH policy to ensure that an Audit Follow-up System provides a complete record of action taken on findings and recommendations.
- NIH Principal Deputy Director will:
- Review and approve written NIH comments to Audit Reviews and sign-off on transmittal documents.
- NIH Office of the Director, Office of Management, Deputy Director for Management will:
- Review written NIH comments to Audit Reviews to ensure that NIH’s responses are consistent with the organization’s mission, goals, and external communications, as well as the Risk Management Program.
- NIH Office of the Director, Office of Management, Office of Management Assessment will:
- Serve as the primary contact for notifying the appropriate organization(s) within NIH regarding the start of an OIG or a GAO Audit Review.
- Identify and appoint an OMA Audit Liaison for each OIG or GAO Audit Review.
- Initiate meetings between NIH Management Officials and coordinate subsequent meetings between NIH staff and OIG or GAO auditors.
- Analyze OIG and GAO requirements, coordinate and negotiate requests for documentation, data, information or meetings with specific NIH Management Officials.
- Work with NIH officials to proactively gain an understanding of the information available to auditors in response to their requests and the most efficient way to provide the information to the auditors.
- Coordinate the preparation and review of oral briefings or other written documents and reports on the results and status of Audit Review activities.
- Coordinate with and keep the HHS Assistant Secretary for Legislation and the HHS Assistant Secretary for Financial Resources informed of ongoing audit activities and statuses as appropriate and necessary.
- Coordinate within the OD policy officials to ensure that NIH’s responses are consistent with the organization’s other external communications, as well as the NIH Risk Management Program.
- Coordinate comments to OIG or GAO Draft Audit Reports and any subsequent Audit Follow-up regarding recommendations or findings described in the Final Audit Report.
- Evaluate management’s corrective actions taken in response to OIG and GAO audit recommendations to ensure the corrective actions fully address the recommendation.
- Identify and appoint Audit-Follow-up Official and periodically check-in on the status of agreed-upon open corrective actions.
- Upon implementation of recommendations, prepare appropriate documentation for OIG or GAO.
- Respond to OIG and GAO inquiries regarding progress on the closure of open recommendations from a Final Audit Report.
- Provide briefings on the results and status of Audit Review activities for the NIH Director, NIH Principal Deputy Director, Deputy Director for Management, or OMA Director, and other senior NIH Management Officials, as well as NIH Management Officials involved in the audit.
- Establish and maintain an Audit Follow-up system to facilitate the prompt and proper resolution and implementation of audit recommendations.
- Track OIG and GAO Audit Reviews and maintain the official NIH files provided to auditors.
- On periodic basis, maintain and update Manual Chapter 1752 - Outside Audit Reviews and Follow-up.
- NIH Office of Science and Policy Liaison will:
- Provide guidance and oversight, as needed, on NIH science policy and other issues to fulfill the responsibilities outlined within this policy.
- NIH Office of the Director, Office of Communications and Public Liaison will:
- Provide guidance, as requested, on NIH communication with offices and agencies outside of NIH, including but not limited to the public, the media, the scientific and medical communities, and public advocacy groups, as needed to fulfill the responsibilities outlined within this policy.
- As needed, disseminate information that may pertain to upcoming, active, or completed Audit Reviews that OMA is coordinating on behalf of the NIH.
- NIH Office of the Director, Office of Legislative Policy and Analysis will:
- Provide guidance, as requested, on NIH communication with the Congress and its committees to fulfill the responsibilities outlined within this policy.
- As needed, disseminate information on congressional inquiries or congressional interest that may pertain to upcoming, active, or completed Audit Reviews that OMA is coordinating on behalf of the NIH.
- Department of Health and Human Services, Office of the General Counsel will:
- Provide advice to management on review topics, as needed.
- Review agency responses to draft reports, as needed.
- NIH Institute, Center, and OD EO will:
- Serve as liaison, or designate staff to serve as a liaison, between OMA and their respective ICO to respond to OIG and GAO audits and inquiries throughout the audit lifecycle (Appendix C).
- NIH Management Officials will, through their respective EO or its designated liaisons:
- Cooperate with OMA in their responsibility to coordinate Audit Reviews conducted by the OIG and GAO.
- Provide documentation and assistance as part of an official Audit Review. Examples of documentation and assistance may include providing program data, official comments to Draft Audit Reports, or updates on the status of corrective actions taken.
- Direct staff, as necessary, to fulfill their responsibilities as outlined in this policy.
- Work with OMA to resolve issues pertaining to OIG or GAO Audit Reviews.
- Provide OMA with prompt and responsive corrective actions to OIG and GAO report findings and recommendations.
- Implement corrective action(s) in response to OIG and GAO findings and recommendations.
- If contacted by OIG or GAO without prior notification from OMA, refer the OIG or GAO auditor to OMA to coordinate any request for information.
All records pertaining to this chapter must be retained and disposed of under the authority of NIH Manual 1743, “Managing Federal Records,” Appendix 4, Records Management Resources. These records must be maintained in accordance with current NIH Records Management and Federal guidelines. Contact your IC Records Liaison or the NIH Records Officer for additional information.
- Audit Findings and Recommendations: Pursuant to government auditing standards, audit findings may involve deficiencies in internal control, fraud, illegal acts or violations of provisions of contracts or grant agreements, and abuse. The elements of a finding depend entirely on the objectives of the Audit Review and are broadly defined as criteria, condition, cause, and effect. Audit recommendations are intended to improve agency operations.
- Audit Follow-up: Audit Follow-up is completed by NIH Management Officials by ensuring timely responses are made to audit reports and corrective actions are implemented.
- Audit Follow-up Official: Within NIH, OMA is the designated Audit Follow-up Official who has responsibility for ensuring that (a) systems of Audit Follow-up, resolution, and corrective action are documented and in place, (b) timely responses are made to audit reports, (c) disagreements are resolved, (d) corrective actions are actually taken, and (e) NIH supports HHS’ efforts to produce any Department-wide semi-annual reports as required by OMB Circular A-50 and IG-GAO Act.
- Audit Follow-up System: A system developed by an agency to facilitate the prompt and proper resolution and implementation of audit recommendations. The system for resolution and corrective actions must meet the standards outlined in OMB Circular A-50, including a complete record of action taken on both monetary and non-monetary findings and recommendations.
- Audit Liaison: Senior management official who serves as the contact for OIG and GAO Audit Reviews with NIH Management Officials. The NIH uses the Audit Liaison position to fulfill several of the responsibilities detailed in OMB Circular A-50 including serving as the agency’s Audit Follow-up Official. OMA performs the official Audit Liaison function for OIG and GAO Audit Reviews conducted at the NIH.
- Audit Review: A term referring to studies, audits, reviews, evaluations or inspections of an agency’s programs or operations that may involve on-site visits, documentation reviews, and interviews of personnel. The Audit Review is usually preceded by a Notification Letter/Start Notice Memorandum that identifies the requester(s) and summarizes the objectives of the study, audit, review, evaluation, or inspection. An Audit Review typically results in a Final Audit Report, but other products can result as well, such as an executive-level correspondence letter. For high-profile OIG or GAO Audit Reviews, related congressional testimony may be possible.
- Corrective Action: Action taken by the agency to implement recommendations and resolve audit findings. The agency describes the planned or taken Corrective Actions in the Statement of Action or the Management Decision Letter.
- Draft Audit Report: An OIG or GAO prepared document that is provided to HHS and relevant NIH officials. The agency prepares written comments in response to the statements, recommendations, and conclusions within the Draft Audit Report. For reports that require NIH comments, OMA prescribes timelines to ensure that the agency meets its regulatory requirements for responding to OIG or GAO within the required due dates.
- Entrance Conference: An initial meeting when OIG or GAO discusses its scope of work, expectations of the NIH Management Officials, specific information needs (e.g., data, access to agency officials, workspace), key objectives (research questions), sites where auditors expect to conduct their work, the need for any precautions to protect data or information, and estimated length of the Audit Review.
- Exit Conference: A concluding meeting when the OIG or GAO explains the critical facts and key information learned during the Audit Review to formulate its conclusions. The Exit Conference also provides an opportunity for NIH and the OIG or GAO to verify the information collected during the Audit Review.
- Final Audit Report: The final version of an OIG- or GAO-prepared Draft Audit Report, which includes agency comments.
- Government Accountability Office (GAO): The agency within the legislative branch responsible for conducting studies, audits, or evaluations at the request of Congress to help it meet its constitutional oversight responsibilities and to improve the performance and accountability of the Federal government. The GAO has a public-facing website database that includes highlights, full reports, and recommendations.
- Management Decision Letter (OIG): Prepared by the NIH and provided to the OIG. This letter indicates whether or not the NIH concurs with each recommendation and the corrective actions the NIH has taken or plans to take to implement OIG recommendations. This is an equivalent document to the GAO Statement of Action.
- Management Officials: Agency officials that are responsible for receiving and analyzing audit reports, providing timely responses to the OIG and GAO, and taking corrective actions where appropriate.
- Notification of Final Action: Documentation prepared by OMA, in coordination with NIH Management Officials, and subsequently provided to OIG auditors regarding recommendations in an OIG Final Audit Report.
- Notification Letter/Start Notice Memorandum: A formal announcement of the start date, scope, and objectives of an Audit Review by GAO or OIG.
- Office of Inspector General (OIG): The HHS component responsible for conducting and supervising audits, evaluations, and inspections relating to HHS programs and activities.
- Statement of Action (GAO): The HHS and NIH response prepared in accordance with 31 USC § 720. It is an update on the status of the corrective actions taken or that the agency plans to take to implement recommendations contained in the GAO Final Audit Report. The Statement of Action is provided within 180 calendar days of issuance of that report. The Statement of Action is an equivalent document to the OIG Management Decision Letter.
- Statement of Facts: A GAO prepared document that is provided to HHS and relevant NIH officials prior to the Exit Conference. The document contains a list of facts that are likely to appear in the Draft Audit Report. The relevant officials are then given the opportunity to comment on the validity and accuracy of the Statement of Facts at the Exit Conference and in written responses to GAO.
- The Freedom of Information Act (FOIA): This Act, 5 U.S.C. 552 Provides the public the right to request access to federal records. Federal agencies are required to disclose any information requested unless it falls under one of nine exemptions and three exclusions contained in the Act.
- Purpose: NIH must provide the OIG and GAO access to agency records. This appendix documents the precedent set and regulations governing the disclosure of sensitive information officially requested by OIG and GAO. Specifically, these procedures are to be used as a guide to alleviate concerns over the release of sensitive (e.g., merit-based, pre-award) documentation to OIG and GAO.
- References: The authorities governing access, confidentiality, and privacy for OIG and GAO reviews include, but are not limited to:
- 31 U.S.C. § 716(a)(1) & (e)(1) authorizes the GAO to obtain Federal agency records required to discharge the GAO's duties (including audit, evaluation, and investigative duties), including bringing civil actions to require an agency to produce a record, and gives GAO access to agency records. The investigators are held to the same confidentiality standards as the agency.
- 31 U.S.C. § 720(b) notes that agency statements on actions taken or planned in response to GAO recommendations must be submitted to: (1) the congressional committees with jurisdiction over the pertinent agency program or activity, and (2) the GAO.
- 5 U.S.C. § 552a(b)(10) provides an exception to the Privacy Act of 1974 no-disclosure- without-consent rule in the case of an official request from the Comptroller General, or any of his authorized representatives, in the course of the performance of the duties of the GAO. 5 U.S.C. § 552a(c) requires each agency to keep an accurate account of the date, nature, and purpose of each disclosure including the name of the agency to whom the disclosure is made; and retain the information for the life of the record.
- 4 Code of Federal Regulations (CFR) § 81.5(a) states it is the policy of GAO not to provide records from its files that originate in another agency or nonfederal organization to persons who may not be entitled to obtain the records from the originator. The NIH Freedom of Information Office will determine whether particular responsive records are confidential and exempt from public disclosure under Exemption 6 to the FOIA (regarding privacy interests) or Exemption 4 to FOIA (regarding trade secrets or confidential commercial information). The NIH Privacy Act Officer within the Office of the Senior Official for Privacy will determine if particular records are exempt from public disclosure under the Privacy Act.
- 5 U.S.C. Appendix Inspector General § 6 states each Inspector General is authorized to have access to all records, reports, audits, reviews, documents, papers, recommendations, or other material available related to programs and operations with respect to which that Inspector General has responsibilities.
- Roles and Responsibilities:
- NIH Office of the Director, Office of Management, Office of Management Assessment will:
- Negotiate to narrow the focus or scope of document requests to release the minimum amount of sensitive (e.g., merit-based, pre-award) documentation.
- Work with NIH officials to proactively gain an understanding of the information available to auditors in response to their requests and the most efficient way to provide the information to the auditors. This may include:
- Transmitting information that will allow auditors to see what officials are able to provide to narrow the sample selection
- Redacting data to prevent disclosure of unnecessary information, including personally identifiable information or other sensitive information; or
- Suggesting that the auditors review the records on site with limited copies and evidence removed from the original source files
- Suggesting auditors submit a request for data/records for NIH to pull from internal systems, rather than giving auditors direct access to systems or repositories that contain sensitive information
- Document and maintain a record of the disclosure and any communications.
- Ensure that interested parties are aware of the negotiated agreement.
- Transmit the sensitive (e.g., merit-based, pre-award) documentation in a secure manner with encryption through secure mail (email or non-email) channels or add a password to protect electronic files as needed.
- NIH Office of the Director, Office of Management, Office of Management Assessment will: