Skip Navigation Links

icon

Transmittal Notice

  1. Explanation of Material Transmitted:

    This revised chapter outlines responsibilities for assisting with the Department of Health and Human Services (HHS) Office of Inspector General (OIG), and Government Accountability Office (GAO) program audit reviews conducted at the National Institutes of Health (NIH), and for responding to, and taking corrective action on OIG and GAO program audit findings and recommendations. Included in the revision are updates to web site references, Glossary of Terms Appendix A and a new Appendix B.

    Please refer to NIH Manual 1753 to review NIH’s responsibilities with processing audit reports of contractors and grantees distributed by the OIG.

  2. Filing Instructions:

    Remove: NIH Manual Chapter 1752, dated 07/13/2011
    Insert: NIH Manual Chapter 1752, dated 09/30/2016

PLEASE NOTE: For information on:

A. Purpose and Scope

This chapter outlines NIH employees’ responsibilities for assisting with outside Audit Reviews conducted at NIH by the HHS OIG and GAO; and NIH Management Officials’ responsibilities for responding to, and taking corrective actions on OIG and GAO audit findings and recommendations. For reference, Appendix A contains definitions of relevant terms used in this Manual Chapter. Appendix B contains guidelines for sharing sensitive information with auditors.

This chapter also establishes the response criteria and time frames for NIH Management Officials for responding to OIG and GAO audit findings and recommendations. Time frames may vary depending on the topic and complexity of the OIG or GAO Review. This chapter does not apply to reviews initiated by the OIG Office of Investigations or the GAO Forensic Audits and Special Investigations team, which are initiated under different authorities than the reviews referred to in this chapter.

NIH Delegation of Authority, General Administration: No. 34

  1. United State Code (U.S.C.) App., Inspector General Act of 1978, as amended

  2. 31 USC § 711715717719 General Authority, Comptroller General Reports, as amended

  3. 31 USC § 3529, Requests for decisions of the Comptroller General, as amended

  4. OMB Circular No. A-123: Management’s Responsibility for Enterprise Risk Management and Internal Control, Revised July 2016

  5. OMB Circular A-50 Audit Follow-up

  6. Government Accountability Office, GAO-05-35G, Revised, Agency Protocols, October 2004

  7. Government Accountability Standards for Internal Control in the Federal Government, Revised September 2014

  8. Department of Health and Human Services, General Administration Manual, Parts 5, 21 & 22

  9. Department of Health and Human Services, Office of Inspector General Memorandum, New Policy and Procedures Regarding Extensions for Submission of Agency Comments on Draft Reports Signed by the Inspector General, September 20, 2007.

  10. GAO Open Recommendations Data Base

  11. Department of Health and Human Services, Office of Inspector General, Office of Evaluations and Inspections, Recommendation Response and Clearance Procedures, February 2011.

  12. NIH Manual Chapter 1743, “Keeping and Destroying Records,” Appendix 1, NIH Records Control Schedule

Outside Audit Reviews are an important component of the oversight of internal programs and operations. These Audit Reviews help the organization identify, prevent, and mitigate fraud, waste, abuse, mismanagement, and conflicts of interest. The prompt resolution and development of corrective actions to address audit recommendations are an integral part of good management. Corrective actions taken by management in order to resolve findings and recommendations are essential to improving the effectiveness and efficiency of NIH operations. The audit liaison function at NIH for OIG and GAO Audit Reviews resides within the Office of the Director (OD), Office of Management (OM), Office of Management Assessment (OMA).

At the request of Congress and, under special circumstances, on their own initiative, GAO provides oversight of Federal programs and insight into ways to make government more efficient, effective, ethical, and equitable. GAO reports, testimonies, and legal decisions are reported to Congress. The GAO also issues guidance on the development and use of internal or management controls to ensure effective and efficient government operations.

The OIG is mandated to protect the integrity of HHS programs, as well as the health and welfare of the beneficiaries of those programs. The OIG has the responsibility to report program and management problems, and make recommendations to correct them, both to the Secretary of HHS and to Congress. The OIG conducts audits, investigations, and inspections.

The NIH supports, assists, and uses Audit Reviews as important tools for ensuring effective management of agency programs and operations. Upon receipt of a notification letter (GAO) or start notice memorandum (OIG), the OMA is the first point of contact, serves as Audit Liaison and coordinates all management notifications, schedules site visits and phone meetings, and issues electronic communication. This includes the receipt, review, and delivery of data calls, written responses, and technical comments, to ensure a cohesive message from NIH subject matter experts.

In accordance with OMB Circular A-50, the NIH is committed to preparing prompt, responsive, constructive corrective actions in response to OIG and GAO audit report findings and recommendations. The NIH considers Audit Follow-up to be an integral part of good management and a responsibility shared by NIH employees. It is NIH policy to ensure that an Audit Follow-up System provides a complete record of action taken on findings and recommendations.

F. Roles and Responsibilities

  1. NIH Director will:

    1. Review and approve written NIH comments to Audit Reviews to ensure that NIH’s responses are consistent with the organization’s mission, goals, and external communications, as well as the Risk Management Program.

  2. NIH Office of the Director, Office of Management, Deputy Director for Management will:

    1. Review and approve written NIH comments to Audit Reviews to ensure that NIH’s responses are consistent with the organization’s mission, goals, and external communications, as well as the Risk Management Program.

  3. NIH Office of the Director, Office of Management, Office of Management Assessment will:

    1. Track outside Audit Reviews and maintain the official NIH files for OIG and GAO Audit Reviews.

    2. Establish and maintain an audit follow-up system to facilitate the prompt and proper resolution and implementation of audit recommendations.

    3. Serve as the primary contact for notifying the appropriate organization(s) within NIH regarding the start of an OIG or a GAO Audit Review.

    4. Identify an Audit Liaison for each OIG or GAO Audit Review.

    5. Initiate meetings between NIH Management Officials, and coordinate subsequent meetings between NIH employees and OIG or GAO auditors.

    6. Coordinate OIG or GAO requests for documentation, data, and information, or meetings with specific NIH Management Officials.

    7. Coordinate comments to OIG or GAO Draft Audit Reports and any subsequent Audit Follow-up with regard to recommendations or findings described in the Final Audit Report.

    8. Work with NIH officials to proactively gain an understanding of the exact information the auditors require and suggest the most effective way for the auditors to access that information.

    9. Evaluate management’s corrective actions taken in response to OIG and GAO audit recommendations.

    10. Follow-up on the status of agreed-upon open corrective actions.

    11. Upon implementation of recommendations, prepare appropriate documentation for GAO or OIG.

    12. Coordinate the preparation and review of oral briefings or other written documents and reports on the results and status of Audit Review activities.

    13. Respond to OIG and GAO inquiries regarding progress on the closure of open recommendations from a Final Audit Report.

    14. Provide briefings on the results and status of Audit Review activities for the NIH Director, NIH Deputy Director, Deputy Director for Management, or OMA Director, and other senior NIH Management Officials, as well as NIH Management Officials involved in the audit.

    15. Coordinate with and keep the HHS, Assistant Secretary for Legislation informed, as appropriate and necessary.

    16. Coordinate within the OD to ensure that NIH’s responses are consistent with the organization’s other external communications, as well as the NIH Risk Management Program.

  4. NIH Office of the Director OD, Office of Communications and Public Liaison will:

    1. Provide guidance, as requested, on NIH communication with offices and agencies outside of NIH, including but not limited to the public, the media, the scientific and medical communities, and public advocacy groups, as needed to fulfill the responsibilities outlined within this policy.

    2. As needed, disseminate information that may pertain to upcoming, active, or completed Audit Reviews that OMA is coordinating on behalf of the NIH.

  5. NIH Office of the Director OD, Office of Legislative Policy and Analysis will:

    1. Provide guidance, as requested, on NIH communication with the Congress and its committees to fulfill the responsibilities outlined within this policy.

    2. As needed, disseminate information on congressional inquiries or congressional interest that may pertain to upcoming, active, or completed Audit Reviews that OMA is coordinating on behalf of the NIH.

  6. Office of the General Counsel, Department of Health and Human Services will:

    1. Provide advice to management on review topics, as needed.

    2. Review agency responses to draft reports.

  7. NIH Institute & Center Executive Officers (EO) will:

    1. Serve as liaison, or designate staff to serve as a liaison, between OMA and their respective NIH OD Office, or Institute or Center (IC) to respond to OIG and GAO audits and inquiries.

  8. NIH Management Officials will, through their respective EO or its designated liaisons:

    1. Cooperate with OMA in their responsibility to coordinate Audit Reviews conducted by the OIG and GAO.

    2. Provide documentation and assistance as part of an official Audit Review. Examples of documentation and assistance may include providing program data, official comments to Draft Audit Reports, or updates on the status of corrective actions taken.

    3. Direct staff, as necessary, to fulfill their responsibilities as outlined in this policy.

    4. Work with OMA to resolve issues pertaining to OIG or GAO Audit Reviews.

    5. Provide OMA with prompt and responsive corrective actions to OIG and GAO report findings and recommendations.

    6. Implement corrective action(s) in response to OIG and GAO findings and recommendations.

    7. If contacted by GAO or OIG without prior notification from OMA, refer the GAO or OIG auditor to OMA to coordinate any request for information.

G. Records Retention and Disposal

All records pertaining to this chapter must be retained and disposed of under the authority of NIH Manual 1743, "Keeping and Destroying Records," Appendix 1, "NIH Records Control Schedules" (as amended). These records must be maintained in accordance with current NIH Records Management and Federal guidelines. Contact your IC Records Liaison or the NIH Records Officer for additional information.

H. Internal Controls

The purpose of this manual issuance is to establish internal controls with regard to NIH’s audit-related responsibilities.

  1. Office Responsible for Reviewing Internal Controls: Office of Management Assessment, NIH.

  2. Frequency of Review: Ongoing.

  3. Method of Review: An overall agency-wide evaluation of compliance with this policy. The Audit Review may include surveys, interviews, testing and analysis of actions.

  4. Review Reports are Sent To: Deputy Director for Management.

Appendix A - Definitions/Glossary of Terms

  1. Audit Findings and Recommendations: Pursuant to government auditing standards, audit findings may involve deficiencies in internal control, fraud, illegal acts or violations of provisions of contracts or grant agreements, and abuse. The elements of a finding depend entirely on the objectives of the Audit Review and are broadly defined as criteria, condition, cause, and effect. Audit recommendations are intended to improve agency operations.

  2. Audit Follow-up: Audit Follow-up is completed by agency Management Officials and includes ensuring that (a) systems of Audit Follow-up, resolution, and corrective action are documented and in place, (b) timely responses are made to audit reports, (c) disagreements about audit findings are resolved, and (d) corrective actions are implemented.

  3. Audit Follow-up Official: Within NIH, OMA has a designated Audit Follow-up Official who has responsibility for ensuring that (a) systems of Audit Follow-up, resolution, and corrective action are documented and in place, (b) timely responses are made to audit reports, (c) disagreements are resolved, (d) corrective actions are actually taken, and (e) NIH supports HHS’ efforts to produce any Department-wide semi-annual reports as required by OMB Circular A-50 paragraph 8.a.(8) are sent to the head of the agency.

  4. Audit Follow-up System: A system developed by an agency to facilitate the prompt and proper resolution and implementation of audit recommendations. The system for resolution and corrective actions must meet the standards outlined in OMB Circular A-50, including a complete record of action taken on both monetary and non-monetary findings and recommendations.

  5. Audit Liaison: Senior management official who serves as the contact for OIG and GAO Audit Reviews with NIH Management Officials. The NIH uses the Audit Liaison position to fulfill several of the responsibilities detailed in OMB Circular A-50 including serving as the agency’s Audit Follow-up Official. OMA performs the official Audit Liaison function for OIG and GAO Audit Reviews conducted at the NIH.

  6. Audit Reviews: A term referring to studies, audits, reviews, evaluations or inspections of an agency’s programs or operations that may involve on-site visits, documentation reviews, and interviews of personnel. The Audit Review is usually preceded by a Notification Letter that identifies the requester(s) and summarizes the objectives of the study, audit, review, evaluation or inspection. An Audit Review typically results in a Final Audit Report, but other products can result as well, such as an executive-level correspondence letter. For high profile OIG or GAO Audit Reviews, related congressional testimony may be possible.

  7. Corrective Action: Action taken by the agency to implement recommendations and resolve audit findings. The agency describes the planned or taken Corrective Actions in the Statement of Action or the Management Decision Letter.

  8. Draft Audit Report: An OIG or GAO prepared document that is provided to HHS and relevant NIH officials. The agency prepares written comments in response to the statements, recommendations, and conclusions within the Draft Audit Report. For reports that require NIH comments, OMA prescribes timelines to ensure that the agency meets its regulatory requirements for responding to OIG or GAO within the required due dates.

  9. Entrance Conference: An initial meeting when OIG or GAO discusses its scope of work, expectations of the NIH Management Officials, specific information needs (e.g. data, access to agency officials, workspace), key objectives (research questions), sites where auditors expect to conduct their work, the need for any precautions to protect data or information, and estimated length of the Audit Review.

  10. Exit Conference: A concluding meeting when the OIG or GAO explains the critical facts and key information learned during the Audit Review to formulate its conclusions. The Exit Conference also provides an opportunity for NIH and the OIG or GAO to verify the information, confirmed during their Audit Review.

  11. Final Audit Report: The final version of an OIG or GAO prepared Draft Audit Report, which includes agency comments.

  12. Management Decision Letter: The Management Decision Letter is prepared by the NIH and provided to the OIG. This letter indicates whether or not the NIH concurs with each recommendation and the corrective actions the NIH has taken or plans to take to implement OIG recommendations. This is an equivalent document to the GAO Statement of Action.

  13. Government Accountability Office (GAO): The agency within the legislative branch responsible for conducting studies, audits, or evaluations at the request of Congress to help it meet its constitutional oversight responsibilities and to improve the performance and accountability of the Federal government. The GAO has a public facing website database.

  14. Management Officials: Management Officials are agency officials that are responsible for receiving and analyzing audit reports, providing timely responses to the OIG and GAO, and taking corrective actions where appropriate.

  15. Notification Letter/Entrance Notice: A formal announcement of the start date, scope, and objectives of an Audit Review by OIG or GAO.

  16. Notification of Final Action: Documentation prepared by OMA, in coordination with NIH Management Officials, and subsequently provided to OIG auditors regarding recommendations in an OIG Final Audit Report.

  17. Office of Inspector General (OIG): The HHS component responsible for conducting and supervising audits, evaluations, and inspections relating to HHS programs and activities.

  18. Statement of Action: The HHS and NIH response prepared in accordance with 31 USC § 720. It is an update on the status of the corrective actions taken or that the agency plans to take to implement recommendations contained in the GAO Final Audit Report. The Statement of Action is provided within 60 calendar days of issuance of that report. The Statement of Action is an equivalent document to the OIG Management Decision Letter.

  19. Statement of Facts: A GAO prepared document that is provided to HHS and relevant NIH officials prior to the Exit Conference. The document contains a list of facts that are likely to appear in the Draft Audit Report. The relevant officials are then given the opportunity to comment on the validity and accuracy of the Statement of Facts at the Exit Conference and in written responses to GAO.

  20. FOIA: The Freedom of Information Act (“FOIA”), 5 U.S.C. 552, provides individuals a right of access to records in the possession of the federal government. The government may withhold information pursuant to the nine exemptions and three exclusions contained in the Act.

Appendix B - Procedures for Handling Sensitive Document Requests by the OIG and GAO

A. Purpose:

NIH must provide the OIG and GAO access to agency records. This appendix documents the precedent set and regulations governing the disclosure of sensitive information officially requested by OIG and GAO. Specifically, these procedures are to be used as a guide to alleviate concerns over the release of sensitive merit-based, pre-award documentation to OIG and GAO.

B. References:

The regulations governing access, confidentiality, and privacy are codified in:

  1. 31 U.S.C. § 716(e)(1) gives GAO broad investigatory access to agency records. The investigators are held to the same confidentiality standards as the agency.

  2. 5 U.S.C. § 552a(b)(10) provides an exception to the Privacy Act no-disclosure-without-consent rule in the case of an official request from the Comptroller General, or any of his authorized representatives, in the course of the performance of the duties of the GAO. 5 U.S.C. § 552a(c) requires each agency to keep an accurate accounting of the date, nature, and purpose of each disclosure including the name of the agency to whom the disclosure is made; and retain the information for the life of the record.

  3. 4 Code of Federal Regulations (CFR) § 81.5(a) states it is the policy of GAO not to provide records from its files that originate in another agency or nonfederal organization to persons who may not be entitled to obtain the records from the originator. The NIH Freedom of Information Office will determine whether particular responsive records are confidential and exempt from public disclosure under Exemption 6 to the Freedom of Information Act (FOIA) (regarding privacy interests) or Exemption 4 to FOIA (regarding trade secrets or confidential commercial information). The NIH Privacy Act Officer within the Office of the Senior Official for Privacy (OSOP) will determine if particular records are exempt from public disclosure under the Privacy Act.

  4. 5 U.S.C. Appendix Inspector General § 6. states each Inspector General, is authorized to have access to all records, reports, audits, reviews, documents, papers, recommendations, or other material available related to programs and operations with respect to which that Inspector General has responsibilities.

  5. Public Law 115-3, GAO Access and Oversight Act of 2017, Section 2, Access to Certain Information, authorizes the GAO to obtain federal agency records required to discharge the GAO's duties (including audit, evaluation, and investigative duties), including through bringing civil actions to require an agency to produce a record.  It also states that Agency statements on actions taken or planned in response to GAO recommendations must be submitted to: (1) the congressional committees with jurisdiction over the pertinent agency program or activity, and (2) the GAO.

C. Roles and Responsibilities:

  1. NIH Office of the Director, Office of Management, Office of Management Assessment will:

    1. Negotiate to narrow the focus or scope of document requests to release the minimum amount of sensitive merit-based, pre-award documentation.
    2. Work with NIH officials to proactively gain an understanding of the exact information the auditors require and suggest the most efficient way for the auditors to access that information.

      This may include:

      • Transmitting information that will allow auditors to see what officials are able to provide in an attempt to narrow the sample selection
      • Redacting data to prevent disclosure of unnecessary information
      • Suggesting that the auditors review the records on site with limited copies and evidence removed from the original source files
    3. Document and maintain a record of the disclosure and any communications.
    4. Ensure that interested parties are aware of the negotiated agreement.
    5. Transmit the sensitive merit-based, pre-award documentation in a secure manner with encryption through secure mail (email or non-email) channels or add a password to protect electronic files.

* If you require a 508 compliant PDF version of a chapter please contact policymanual@nih.gov
Arrow UpBack to Top