Compliance Corner

OIG official's ideas for improving site's compliance

Federal guidelines expected this year

Research institutions have paid greater attention to compliance and oversight issues in the past decade, partly because of national and Congressional attention paid to corporate wrongdoing by Enron and other non-research institutions.

But what's missing from the headlines is how much work goes into creating an effective compliance program.

The main purpose of a compliance program is to bring together administrative activities that ensure a program is run with integrity in the financial, administrative, and ethical realms, says Peggy Fischer, PhD, an associate inspector general for investigations in the Office of the Inspector General, National Science Foundation in Arlington, VA. Fischer spoke about effective compliance programs at the 2006 Annual Meeting of the Society of Research Administrators of Arlington, VA, which was held Oct. 14-18, 2006, in Quebec City, Canada.

"So when you look at compliance programs, which come from government rules and regulations, you need to ask, 'How does the person who is in charge of that ensure the programs that are their responsibility are operated ethically so employees can work in an environment that's safe and ethical?'" Fischer says.

The Department of Health and Human Services, Office of Inspector General, published in the Nov. 28, 2005, Federal Register, draft OIG compliance program guidance for recipients of U.S. Public Health Service research awards.

That guidance was put on hold after research institutions responded with comments requesting universal guidance that would apply to all agencies from which they receive federal funding.

This request was forwarded to the Committee on Science, National Science and Technology Council, and the White House Office of Science & Technology Policy (OSTP), which have been working with other federal agencies on such guidance since the summer of 2006. The office has guidance that is being finalized among the various agencies that would be affected, and when it has been approved by all, it will be published in the Federal Register as a draft available for comments.

While the HHS draft guidance provides good examples of financial management and compliance, the expected OSTP guidance will cover a full range of compliance issues, including human subjects review, animal welfare review, and others.

The draft could be published as early as the spring of 2007, but is expected at least by the end of the year.

Research institutions do not need to wait for federal guidance, however, because there are many best practice ideas and models available for improving compliance.

One way to ensure an ethical and compliant research program is to examine at-risk areas, Fischer suggests.

Ask these questions:

  • What are the things I do that are the most risky?
  • Where do I have the weakest controls?
  • What are the things that go on that I don't know anything about?

Research compliance managers should take a close look at the black hole projects that are under someone else's control, Fischer says.

"That's a risk area that you need to know more about," she adds."So the objective of a compliance program is to provide some insight that will reduce the level of risk associated with the institution."

Fischer recommends that compliance programs refer to the Federal Sentencing Guidelines for Institutions, which identify seven key elements in a compliance program. They are, as follows:

  1. implementing written policies and procedures;
  2. designating a compliance officer and compliance committee;
  3. conducting effective training and education;
  4. developing effective lines of communication;
  5. conducting internal monitoring and auditing;
  6. enforcing standards through well-publicized disciplinary guidelines;
  7. responding promptly to detected problems and undertaking corrective action.

When institutions run into trouble with compliance regulations, they can be asked to settle with the government, and this might include both a monetary amount to repay alleged wrong-doing and an agreement to implement a compliance program, Fischer notes.

It's wiser for institutions to be proactive and have a comprehensive compliance program in place before they are snared.

"The rationale is that you'd rather do the compliance program yourself, so when federal officials come in you could say, 'I've got one, but we just had an odd incident,'" Fischer explains.

The most common types of civil/criminal allegations, according to NSF OIG investigative files from 1990 to 2006, are the following, according to Fischer:

  • theft/embezzlement - 31%;
  • false or fraudulent statements - 24%;
  • miscellaneous - 20%;
  • false or fraudulent claims - 13%;
  • conflicts of interest - 9%;
  • computer fraud - 3%

And the most frequent audit findings are these:

  • policies and procedures inadequate or absent - 24%;
  • lack of source documentation to support costs - 18%;
  • inadequate system to track, manage, or account for costs and/or assets - 14%;
  • unallowable costs - 7%;
  • lack of proper approval, certification, or authorization - 6%;
  • inadequate or absent project or technical report - 6%;
  • reconciliations inadequate or not performed - 4%;
  • inadequate or absent financial report or proposal - 4%;
  • costs claimed exceed amounts or rates allowed by award provisions or federal regulations - 4%;
  • lack of segregation of duties - 4%.
  • In the best case scenario, an institution never has a civil or criminal finding from a government investigation because the institution's own compliance program would help to prevent fraud and abuse, discover all problems, and correct them immediately.

"The objective is to make sure the incident doesn't happen again and that you can detect civil or criminal wrong-doing from the government's perspective," Fischer explains.

The key is to have an active internal oversight and auditing program in place, Fischer says.

"An independent program is an extremely good way to catch potential problems when they're small," Fischer says."Programs like that can catch issues in internal controls, such as not having sufficient independence between check-issuing and check-signing."

Also, money-flow problems can be caught and corrected with these types of programs, she says.

"Make sure you have a good employee education program so people know that compliance is a priority from the top of the organization on down," Fischer says."The leader of the organization must articulate it, believe it, and live it."

Part of compliance also includes creating an environment in which employees feel they can report something of concern to administrators, and this reporting will not be seen as a negative action on their part, Fischer adds.

"You can't have a compliance program if there's no support for it at the top," she says.

Lastly, all compliance programs should include annual training sessions for teaching staff how to handle conflict of interest issues, reimbursements, and reporting of problems, Fischer says.

"Are there brochures around the institution saying, 'This is our hotline?'" she says."How do you handle the nuts and bolts of your job according to policies and procedures?"

Each training program should be tailored to the institution's particular needs, Fischer adds.