NIH Did Not Consistently Meet Federal Single Audit Requirements for Extramural Grants

KEY TAKEAWAY

The National Institutes of Health (NIH) did not routinely meet Federal single audit requirements that help ensure that extramural recipients have sound financial practices and internal controls. NIH's lack of oversight and routine use of single audits, as required, could put grants that fund important research at risk for mismanagement.

WHY WE DID THIS STUDY

Single audits promote the efficient and effective use of Federal, extramural grant funding. Single audits are costly for the Federal government and time-consuming for grant recipients (e.g., universities, States and localities, for-profit Small Business Innovation Research award recipients). Therefore, it is important that they be effectively used to protect Federal funds. Compliance with single audit requirements is especially important for the Department of Health and Human Services (HHS), as HHS is the largest grant-making agency in the Federal government. Within HHS, NIH awards a significant number of these grants. Other Federal offices also rely on NIH to comply with single audit requirements. Previous HHS Office of Inspector General (OIG) work found that NIH did not follow up on single audit findings within the required 6 months. This review revisits whether NIH is following up in a timely manner and evaluates NIH's compliance with other single audit requirements. This is OIG's first assessment of NIH's oversight and use of single audits since some responsibilities transferred from OIG to HHS's Assistant Secretary for Financial Resources (ASFR) in 2018.

HOW WE DID THIS STUDY

We collected and reviewed HHS and NIH policies on single audits. We also analyzed data and relevant documentation (e.g., single audit reports) for all management decision letters (MDLs) between September 1, 2020, and August 31, 2021. MDLs document NIH's review of single audits and corresponding corrective action plans. We also interviewed staff within NIH and ASFR due to ASFR's role in coordinating HHS's, and as such NIH's, single audit processes.

WHAT WE FOUND

NIH did not consistently ensure that recipients took appropriate and timely corrective action on single audit findings, as required by Federal regulation. Specifically, for over half of the single audits in our review, NIH did not issue MDLs that met the required 6-month deadline to document that it had assessed whether recipients were taking corrective actions to address single audit findings. On average, late MDLs were about 10 months beyond the 6-month deadline. Further, NIH did not use a risk-based approach to prioritize single audit findings, as encouraged by HHS policy, despite multiple audits having factors identified by HHS policy as high-risk. Also, because NIH did not issue some MDLs within 2 years, NIH may no longer have the legal authority to ensure that recipients address the corresponding audit findings, according to Federal regulation.

Additionally, NIH's use of single audit findings in making decisions about new and ongoing awards during our review period was limited. NIH does have policies to convey that awarding officials must review audit findings when making award decisions. However, NIH used a list of high-risk recipients that has not been updated since 2018 to inform these decisions. NIH's process for issuing alerts about vulnerabilities identified in single audit findings did not result in any alerts for recipients in our review period, despite multiple audits in our review having unresolved high-risk findings.

Finally, ASFR provides some data to NIH, but NIH does not track the effectiveness of single audit processes and single audits' use. However, NIH does not have processes to use ASFR's metrics or other data to track the effectiveness of its single audit processes and single audits' use. Using such data could help NIH oversee and ensure the integrity of awards it funds.

WHAT WE RECOMMEND

We recommend that NIH (1) ensure that the 6-month requirement for issuing MDLs for all single audits is met; (2) use risk to prioritize the issuance of MDLs; (3) ensure that relevant single audit data are available and used by NIH staff to inform decisions about new and ongoing awards; and (4) track the effectiveness of single audit processes and single audits' use. NIH concurred with all four of our recommendations.