Compliance Corner

Compliance process improved by auditing 

Focus on financial compliance issues

An extensive auditing process is an important feature of a research compliance program, provided the auditing reports are used to improve compliance processes and interventions.

"We use audit results to craft either an audit-based educational program or to develop interventional programs for a specific department that might need some help," says Denise McCartney, MBA, associate vice chancellor for research administration at Washington University in St. Louis.

Washington University has an extensive, institution-wide compliance program that includes financial and research compliance, McCartney says. "The university has a hotline where employees can report compliance failures, financial or otherwise," she adds.

"We also provide multiple contacts where people can report compliance failures, so if they have one related to human subjects protection, they might want to talk to the vice chancellor for research or the IRB chair," McCartney notes. "We give them as many avenues as we can."

Washington University empaneled a committee to work toward the goal of developing research roles and responsibilities for various offices, says McCartney. The committee was headed by a research education professional and included principal investigators and department administrators.

"We used the existing compliance groups like the IRB to review the draft of the document once we completed it," McCartney says. "They could send us comments or suggestions for changes."

Another program that assists in the goal of compliance is the research education program that delivers educational materials to faculty and staff, McCartney notes.

"We focus on financial compliance-related issues and work with the sponsored projects accounting office to prepare that kind of training program," she says.

There also have been educational programs about conflict of interest, scientific integrity, grant writing, and other topics, with additional plans to provide a class on effort reporting, McCartney adds.

Human subjects protection education is available on the Web, and it’s a requirement for everyone involved in human subjects research, she says. "Education is a big deal here, and there is a lot of it."

"Our IRB provides more targeted educational programs for specific needs, as does our animal studies committee," she says.

Internal audits critical

One of the major compliance checks and balances is the audit process.

"We have a transaction review that occurs based on certain budget codes and dollar amounts that require review and approval by our sponsored programs accounting," McCartney says.

"Many of our policies are written regardless of funding source," she notes. However, one research compliance concern that the institution is focusing on involves federal grants and billing compliance, she says.

"You can’t charge the federal government for patient services under Medicare and then charge the same item on the research grant, so our audit billing compliance office is responsible for looking at those sorts of things," she explains.

A primary compliance coordinator and three auditors select projects to check based on risk, size, and special requests. "They have developed their own self-risk-assessment tool, approved by the board of trustees," McCartney says.

Staff who believe they have witnessed a compliance problem are encouraged to call McCartney or the office of the vice chancellor for research. "Our goal is to make people feel comfortable and that they have the right to tell us about compliance issues," McCartney says.

Sometimes projects referred to the auditing office may involve personnel issues and have nothing to do with compliance, she says. For example, someone might call the vice chancellor for research to report a situation of scientific misconduct, such as plagiarized or falsified data.

A fictional example would be if someone reports a financial misuse of funds where an investigator took the whole research team out to the beach for the week or paid for a holiday party, she says. Or the report might be that the investigator used funds from one grant to do the work on another grant, she adds.

Accreditation audits

Self-audits are important tools for finding problems, but the institution also has had to cope with various audits by outside agencies, including proactive compliance site visits by the National Institutes of Health, McCartney says.

"We view those as learning opportunities," she adds. "We’ve had some other types of audits, including visits by the General Accounting Office, where they were talking to people about conflicts of interest."

The institution also has research accreditation oversight from the Association for the Accreditation of Human Research Protection Programs, McCartney says.

When an outside agency announces its intention to audit a research site, it’s important for the research administrator to understand the scope of the expected visit, McCartney suggests.

"If you’re uncomfortable with that scope, then negotiate with them," McCartney says. "You want to make it very clear and understand what they’re doing, and you absolutely can negotiate."

For instance, an auditor often will make an initial call that has a very broad agenda. In this case, the research administrator could negotiate a limited visit with specific dates and limitations to documents that will be reviewed, she explains.

"If the auditors say they want to look at the past five years, you can point out that the regulations say you only need to keep documents for three years past the project end date," she says.

Another auditing tip is to make sure that the research office is well prepared for the visit, including identifying staff who are going to participate in the review, McCartney says.

"Some of the auditors will tell you they don’t like to hear you had pre-meetings with faculty and staff, but many of our faculty and staff have asked us to help them have some understanding of the questions they’ll be asked and to give them as much information as they will need to be well prepared," McCartney says.

"We don’t coach them, but we do help them understand the nature of the visit, and we ask them to be honest," she says. "We also try to understand what our potential weaknesses are, if any, and we try to present a strategy on how to correct those."

During the audit visit, it’s helpful to have one person be a primary facility contact, McCartney says. This person will know how to move the auditor to each location and will be able to present the auditor with an overview of the organization and its structure, she says.

"Be very honest with auditors and answer questions, but don’t volunteer information," McCartney says. "Also, you should understand how the report is generated and whether you will have an opportunity to review and respond before it’s finalized."

Most agencies have a report-out session in which auditors can talk with the institution about the review and findings, McCartney notes.

In general, research administrators should pay attention to what’s happening at the national level, McCartney advises.

"We review the audit work plan that’s put out each year by the Office of Inspector General, and it’s available online," she says.

Also, it’s a good idea to call other institutions to find out what’s happened during their audits, so if a federal agency is focusing on a particular compliance issue, the institution can change its focus to that issue, McCartney says.

When one research institution was recently cited for effort-reporting, Washington University staff discussed this with their counterparts at that institution and determined changes they would need to implement as a result of that citation, McCartney says.

"You can’t prevent people from making mistakes, and you can’t legislate against bad apples, so you have to give compliance programs the infrastructure and tools to do their job," McCartney adds.