Institutions with federal research dollars, particularly from the National Science Foundation (NSF), know they may be subject to an audit by the funding agency’s Office of Inspector General (OIG). NSF OIG is quite active in this area, conducting more than a dozen incurred cost audits most years.
Although NSF OIG has been refining its audit process in recent years, it remained quite labor intensive for both the auditors and auditees. Then, once the audit was done and submitted to NSF for action, the resolution process could also be protracted, especially when a university or other award recipient disagreed with any OIG findings and repayment requests. While ultimately successful for Purdue University, its recent audit took 3 1/2 years from start to finish and involved “pages and pages” of exchanged documents.
But there’s potentially good news: As a result of a “redesign” of its process, not all institutions will automatically undergo a full incurred cost audit. Decisions will be based on the results of a “survey” OIG does first, according to Mark Bell, NSF OIG assistant inspector general for audit. So far OIG has handled eight awardee audits this way, and, in one case, it has meant no true audit at all. For one, however, OIG is doing an audit and some additional testing.
Bell described the new process at last month’s National Science Board (NSB) meeting, where it received a positive response—including from members of NSF itself.
As Bell explained, before the change, “We simply conducted incurred cost audits on everyone. We decided maybe that’s not the best way to do business.”
Now, an audit has two phases. “In phase one, we do an assessment or survey of the university that’s been selected for audit,” which includes reviewing “their overarching controls on the grant process, such things as the internal control environment, their accounting system, their culture…various elements of what should be in a control environment,” he said.
Next, “we step back, and we look at that work, and we determine what is the most useful type of audit to do at this particular university,” Bell continued. As of early February, out of six surveyed, OIG had actually “terminated” the audit for one.
For One, Audit Plus Targeted Testing
This institution, which Bell did not identify by name, “had a solid control environment,” he said. “We didn’t see anything that indicated a lot of risk. We decided that we would report-out, or survey-out. That really shortened the audit process and gave credit to the university for having a good control environment.”
Two are going through more of a focused audit. These “had pretty decent control environments, but we found some things that might need improvement, where they could use some help. So we designed limited scope audits to focus on those particular areas,” Bell said.
In another two, “we found some issues with the cost accounting, so we’ve designed an incurred cost audit to look further into their cost systems and their management of costs,” said Bell. “And in one, we found some issues with both the cost accounting as well as [with] some other areas where they had weakness.”
This institution will go through a full incurred cost audit “with some targeted testing on those other areas of weakness,” Bell said
CPAs Will Conduct Two-Phase Audits
In an emailed response to questions from RRC, an OIG spokesperson said February 2019 marked the first time OIG implemented the two-phase process, and she confirmed its use is widespread, with some exceptions.
“This audit process will be utilized for all external audits conducted by independent public accounting firms for the foreseeable future,” she added. “We have three audits in progress that were started using our previous incurred cost audit approach of testing a minimum of 250 transactions.”
OIG has initiated incurred cost audits of two recipients of the Established Program to Stimulate Competitive Research awards, which are not two-phased. Another change in fiscal year 2019 was the introduction of compliance analytics desk audits, which “focus on smaller entities for which regular audits are not cost-effective,” OIG explained in its FY 2020 audit work plan. These are also ongoing, the spokesperson said.
Bell reported to the NSB that the new two-phase process is “working really well.”
“Under the old method we would have done all eight of these [as] incurred cost audits regardless of what the institution’s environment was,” he said. “We think that this methodology is better for the auditee and better for us. It saves a lot of time and resources on both sides.”
Teresa Grancorvitz, NSF’s chief financial officer and head of its Office of Budget, Finance and Award Management, which handles NSF’s responses to audit findings, praised the new approach.
“NSF on the management side [is] supportive of the OIG’s updated approach to their external grant audits,” she said during the NSB meeting. “We believe it is [a] reasonable and efficient use of federal and recipient resources, that the risk assessment phase minimizes administrative burden and focuses resources to address the vulnerable areas of compliance and oversight.”
She added that, under the new approach, “NSF and OIG collaboration has continued to increase in frequency and quality.”
Bell also offered NSF praise on its responsiveness and cooperation. OIG, on occasion, releases a notice of findings and recommendations to NSF prior to public release of an audit “so that NSF is aware of what we’re finding during the audit,” Bell said. At times, NSF officials are “faster than us and are fixing things before we can even publish our reports.”
Bell addressed how NSF OIG selects institutions to be audited and noted some changes. OIG, he said, collects information as part of a “risk model.” This is not a new concept, however, and the related use of data analytics caused controversy in the past when it was first initiated. At the time, NSF OIG was assigning risk scores to institutions, but it would not tell them what their scores were or how exactly they were calculated.
Focus Moves to Institutions With Less Than $70M
As Bell described it, the current “risk model is initially [based on] limited data that’s available within NSF. We add to the data universities that we know have had past histories of problems, universities that have single audits that may have had issues with it; we look for things that we had consistently found.”
Information is also gleaned from Google searches “for whether there are any investigative cases that occurred that weren’t handled by NSF but occurred at the university by another investigative agency. We factor all of those things in,” Bell said.
Auditors also “look at funding levels,” he said. “We had in the past gone to most of the universities with large amounts of funding” to conduct audits. OIG realized that “those universities have a robust grant office and program,” and thus perhaps fewer areas of concern.
Instead, “we’ve started tiering our risk models to universities under the $70 million mark” in funding, said Bell, and “are finding more issues.”
Bell said OIG annually updates the “risk model based on what we are finding. When we do our testing at the next level, when we go out and get ledgers and can see the data, we know there are certain areas, let’s say foreign travel, that come up,” he said. “We’ll target those areas to see if there’s the same problem existing there [as] at others. We do have a robust process of risk [assessment]. We’re not just auditing the same thing over and over and over again.”
Lerner: Management Also Owns ‘Risk’
Commenting further on the partnership between NSF and OIG, Bell said his role is to spot issues and report them to NSF before they worsen.
“I’m an auditor. I’m not a scientist. I’m not an engineer. I don’t build large facilities. But I ask a lot of different questions. That’s [what] I try to instill in my team: Let’s ask questions that are going to help, the questions that you might not ask, so we can identify things early and help the agency see problems before they happen,” Bell said.
Inspector General (IG) Allison Lerner, who also addressed the NSB, concurred.
“Part of our job—it is not just our job, but it’s the agency’s too, but we do it through different lenses—is to be constantly scanning the horizon and looking for the risks. There’s the known risks; there are the unanticipated risks. We always want to have an eye out for that and then start factoring it into what Mark does on his [audit] side of the house and what the investigative crew does on their side of the house,” said Lerner.
Additionally, OIG “engage[s] with NSF to see if we’re seeing things the same way that they are,” Lerner said, adding that this reflects a shift.
“I think that’s one of the things that’s changed over the past two years—there’s broader acceptance that risk isn't just something that belongs to the IGs. Management owns that. That deepens and enriches the conversation that we can have,” said Lerner.
Policy Placement Was ‘Sloppy’
Outgoing NSF Director France Córdova acknowledged that the agency needed to tighten up where it situated its policies. “I also add that a big change was that I think NSF was a little bit sloppy about where its policy was,” she said. “And that happens to be very important when you audit it.”
She recalled that for a number of years, auditors flagged two-month summer salaries as unallowable, but institutions pushed back, saying NSF’s FAQs said otherwise.
But “it wasn’t in the policy,” Córdova said, and auditors “are not auditing against our FAQs.”
Once NSF officials, she said, “stopped resisting and started listening, we said, ‘Oh, we can fix that…through just better policy-setting.’” Córdova added that there were “a number of instances like that.”