Post Award MUHAS, Dartmouth, UCSF Surviving Audits Tuesday October 21, 2014

Agenda O Types of Audits O Audits and the New Uniform Guidance O Audit Requirements O Audit Process (initiation to closure) O Role of Internal Auditors

Positive Aspects of Audits O Along with policies, procedures and internal controls, audits are an essential tool in the “compliance toolbox” O Most audits are “not for cause” and designed as a reasonable and efficient to see if we are: O Following sponsor rules O Following our rules O Implementing clear policies O Adequately training staff O Have adequate resources O Anything else?

At what time in the award life-cycle should you think about audits? Discussion

Types of Audits O Pre-award O Financial Statement O OMB Required Audit (formerly A133) O Program Review (site visit that involves an assessment of finance and administration) O Internal audits O “Not for cause” agency audits O “For cause” agency audits

Foreign Recipients and the Uniform Guidance Audit requirements (Subpart F) do not explicitly exclude foreign subrecipients, unlike A-133 which stated specifically that it did not apply to “non-U.S. based entities”. Subrecipient monitoring requirements suggest that prime recipients verify that every subrecipient is audited as required by Subpart F when the subrecipient reaches the audit threshold in UG § ($750K). Sponsors may extend Subpart F or comparable audit requirements to foreign recipients. If applicable, prime awardee must resolve foreign subrecipient audit findings and issue a management decision. Common audit issues:– Effort reporting, VAT, indirect costs (under UG, foreign subrecipients without an IDC rate may be eligible to charge the de minimus 10% of MTDC, if not prohibited by sponsor policy. UG § 414(f)).

Do Audits Mitigate Risk to the Project and the Institution? If “yes”, how? If “no”, how? Discussion

Audits: Best Practices O Situations can be challenging due to: O Having to respond according to the auditor’s time frame O Staff may have to shift priorities on very short notice O Don’t panic O Assign a primary liaison: Think very very carefully about which staff are tasked with working on the audit. It is never wise to deploy your least experienced team member.

Notification Institutional Clearances Definition of Scope & Sponsor Review Preparation Aar Conditions Fieldwork Management Responses Exit Conference Entrance Conference Audit Report

Sample Audit Roles and Responsibilities RoleResponsibilities Principal Investigator Respond to questions about how expenses tie to program objectives Respond to questions about personnel effort Affirm awareness of controls and policies Department Grant Manager Be available to meet with auditor along with OSP Provide justification for expenses Address department processes and controls OSP Receive audit notice and negotiate timing and scope Serve as official point of contact Clarify requests Communicate with senior leaders Document progress, items provided, resolution Institutional Leadership Affirm institution’s standards of conduct, compliance Review responses and findings Respond to findings with resources, education or policy Legal Counsel Review regulatory and sponsor audit provisions Assist in negotiation of scope and resolution as needed Other Central Offices Provide source documentation Address policy questions

Preventive Audit “Medicine” O Develop clear institutional policies and continuously improve them O Identify areas of not meeting policies and review and modify O Training O Limit exceptions to your policies and document reasons O Monitor peer audits and sponsor guidance

Scope O Request that the auditors provide a clear definition of the timing, methodology, years covered, and focus O Is it reasonable to review every transaction? O Refer to other recent audits including internal reports that might have covered part or all of the scope O Express your position (in a nice way) concerning the sample size and number of years covered

Preparation O Submit detailed transactional report for audit sampling O Code every transaction selected on a tracking tool to record date requested and provided O Review every transaction selected BEFORE providing documents O Do not provide originals or working files O You are not required to provide more than requested

Preparation O Request and schedule an opening meeting to discuss: O Scope and process O Timeline O Report O Ability of institution to review and comment on report O Close meeting O Provide quiet space O Appoint a liaison but stay actively involved with daily updates

Fieldwork O Always accompany the auditors for any visit to a department or meeting with faculty or staff O Instruct staff to not answer questions outside of their job responsibilities O It’s ok to say “I will need to get back to you” O Respond with documentation and answers as quickly as possible O Liaison to track all responses

Conclusion O Obtain a copy of any report O Confirm process and timeline for responses

NIH Grants Policy Statement (until 12/26/14): Audits Audit Foreign grantees are subject to the same audit requirements as for-profit organizations (specified in 45 CFR 74.26(d) and in the Grants to For-Profit Organizations chapter).Grants to For-Profit Organizations Audit The requirements for non-Federal audits of for-profit organizations are specified in 45 CFR 74.26(d). A for-profit organization is required to have a non-Federal audit if, during its fiscal year, it expended a total of $500,000 or more in Federal awards. 45 CFR 74.26(d) incorporates the thresholds and deadlines of OMB Circular A-133 but provides for-profit organizations two options regarding the type of audit that will satisfy the audit requirements. The grantee either may have (1) a financial-related audit (as defined in, and in accordance with, the Government Auditing Standards (commonly known as the "Yellow Book"), GPO stock , of a particular award in accordance with Government Auditing Standards, in those cases where the recipient receives awards under only one HHS program, or (2) an audit that meets the requirements of OMB Circular A-133. OMB Circular A-133 is available electronically athttp:// The Government Auditing Standards are available electronically at Audits must be completed and submitted to the National External Audit Review Center within 30 days after receipt of the auditor's report(s), or 9 months after the end of the audit period, i.e., the end of the organization's fiscal year, whichever is earlier. The address is found in Part III. External Audit Review Center For-profit organizations expending less than $500,000 a year are not required to have an annual audit for that year but must make their grant-related records available to NIH or other designated officials for review or audit.

US Regulations: Single Audit Act (A133) O The Single Audit Act of 1984 established requirements for audits of States, local governments, and Indian tribal governments that administer Federal financial assistance programs. O Threshold under Uniform Guidance will be $750k O Watch for agency implementations for non- US recipients

COGR PRINCIPLE VIII. ASSESSMENTS AND AUDITS The institution has a formal system for compliance assessment and audit that demonstrates that the institution complies with both federal regulations and institutional and other sponsor policies. Practice A. The institution has written policies and procedures drawn from appropriate professional auditing standards for performing compliance assessments, formal audits, and for reporting the results to the appropriate, responsible official. These policies and procedures are distributed to the appropriate institutional officials. Indicator 1. The institution demonstrates a knowledge of and commitment to compliance by performing risk-based compliance assessments in areas of sponsored program activity and reports the results of such assessment to the appropriate responsible official. Indicator 2. The institution develops a risk-based assessment/audit plan on a regular basis.

Principles Indicator 3. The institution initiates formal risk-based audits of administrative and financial systems that support the sponsored program enterprise and reports the results of such audits to the appropriate responsible official. [See also, II-6, Subrecipient Monitoring.] Indicator 4. The results of financial and compliance audits are communicated to all affected individuals and corrective action plans, as may be appropriate and developed in response to compliance assessments, are monitored for implementation.

Principles Audits Practice B. The institution has written policies and procedures for both its external audit and its internal audit responsibilities. Indicator 1. There are policies in place to ensure the institution’s auditor has the appropriate reporting relationship to ensure independence within the organization. Indicator 2. Procedures are in place to ensure that external auditors are selected in accordance with a process that complies with the requirements of OMB Circular A-133. Indicator 3. The institution has an internal audit charter that states the internal auditors’ responsibilities and authority.

Principles Audits Practice C. The institution’s auditors and external auditors under appropriate circumstances have unrestricted access to the institution’s records, properties, and personnel as those relate to any given subject under review. Practice D. The institution has procedures for ongoing review of its finances, compliance with its administrative directives, and conformance with governmental laws and regulations. Indicator 1. Audits of systems and operations are developed and maintained on a regularly scheduled basis. Indicator 2. Financial objectives, goals and control procedures are established and maintained. Indicator 3. Systems of controls adequately ensure the reliability and integrity of financial and operating information. Indicator 4. Systems of controls adequately safeguard and account for the assets of the institution. Indicator 5. Operations or programs are being conducted and their performance measured consistent with established goals and objectives.

Principles Audits Indicator 6. Systems of controls adequately measure and ensure that resources are used economically and efficiently. Indicator 7. Reports are prepared for management stating findings and recommendations, and significant audit matters are reported directly to appropriate officials. Indicator 8. Adequate follow-up exists to determine that appropriate actions are taken to resolve audit findings, including those of subrecipients.

Principles Audits Practice E. The institution complies with government auditing requirements with respect to its federal programs. Indicator 1. Controls are in place to ensure external audits are performed in accordance with and submitted as required by federal regulations. Indicator 2. Mechanisms exist to coordinate and manage the activities of internal and external auditors. Indicator 3. Controls are in place to ensure that nonprofit subrecipients have met respective audit requirements and, in cases of noncompliance, that corrective action is taken. Indicator 4. There is periodic verification by internal and/or external auditors of the subrecipient process instituted at the institution. Indicator 5. The institution’s audit program includes tests for internal controls and compliance with administrative requirements, such as the compliance supplement to OMB Circular A-133.

Resources O National Association of Cost Analysts audit_summary.pdf audit_summary.pdf O NACUBO O Single Audit Compliance supplement mpliance_supplement_ mpliance_supplement_2014 O MAXIMUS Higher Education Webinars on Federal Compliance Webinar Series education/webinars education/webinars