Baker Tilly refers to Baker Tilly Virchow Krause, LLP,an independently owned and managed member of Baker Tilly International.

Sponsored Research Compliance:Best Practices for Working with Auditors

Introductions

2

Raina Rose TaglePartner and National

Practice Leader,

Baker Tilly

Higher Education

Adrienne LarmettSenior Consultant,

Baker Tilly

Higher Education

Presentation Overview

• Session Objectives

• The Many Forms of Research Audits

• Internal Audit Overview

• Making the Most of Your Internal Audit Relationship

• The Audit Process: Where You Fit In and Best Practices for Survival

• Withstanding Audits

3

Session Objectives

• Compare and contrast internal audits with the conduct and focus of external financial statement audits and Office of Inspector General (OIG) audits

• Gain a better understanding of internal audit’s role within an organization and its key activities

• Understand how you can leverage internal audit’s activities to enhance your department’s operations

• Discuss best practices in interfacing with auditors

• Learn how you fit into the audit process

• Become better prepared to withstand all types of audits, including OIG audits

4

>Key Construction Activities

•

The Many Forms of Research Audits

Who May Audit Research?

Receiving research funding (both public and private) adds an increased level of scrutiny to organizations and individuals. The receipt of a research award brings new challenges in terms of compliance and reporting, along with the standard financial and administrative processes involved in the organization’s standard operations. As such, research may be audited by many groups, including:

• External Auditors (e.g., A-133 Auditors)

• Research Sponsors

• Federal Offices of Inspector General (IGs)

• Internal Audit

6

Why Perform More Than One Audit?A-133 Audits

• Commonly known as a “Single Audit,” the Office of Management and Budget’s (OMB) Circular A-133 audit is required of institutions expending over $500,000 of federal support for research.

• The A-133 audit is an institution-wide examination performed annually with the objective of providing assurance to the federal government as to the management and use of federal funds by recipients.

• The audit is typically performed by an independent certified public accountant (CPA) and encompasses both financial and compliance components.

• Single Audits must be submitted to the Federal Audit Clearinghouse.

7

Why Perform More Than One Audit?Sponsor Audits

• Recipients of grant funds must comply with all applicable federal statutes, regulations, and policies. Sponsors, such as the National Institutes of Health (NIH) or National Science Foundation (NSF), will conduct audits of particular systems or specific awards to provide assurance that grant recipients are being good stewards of funds.

• Sponsors conduct financial audits to determine whether costs claimed by awardees are allowable, reasonable, and properly allocated.

8

Why Perform More Than One Audit?OIG Audits

• Each federal agency granting funding has an Office of Inspector General (OIG) responsible for providing independent oversight of the agency’s programs and operations.

• An OIG assesses internal controls, financial management, information technology, and other systems that affect the operation of agency programs.

• The OIG enforces integrity in agency operations by identifying individuals or entities who attempt to abuse the public trust or defraud government programs.

• OIG’s are staffed with auditors, investigators, attorneys, scientists, and other specialists.

9

How Does Internal Audit Fit within the Audit Landscape?

In addition to handling external audits, institutions should work with their internal auditors to review processes and procedures and evaluate compliance. Internal audit works on behalf of an institution, helping to evaluate and review systems, processes, and procedures to help achieve desired goals and objectives. Internal auditors can help an institution to assess the design of policies and controls, compliance with federal regulations, and risks existing within current operations.

Reviews may be focused on an organizational level (processes) or on specific departments or awards (administration).

10

Internal Audit’s Relationship with Other Audit Organizations

While A-133, sponsor, and OIG auditors are working to provide assurance to external sources, internal audit is helping to promote compliance and efficiency within an institution. Typical internal audit activities include:

• Process Reviews

• Program/Project-specific Audits

• System Audits

• Fraud Investigations

Internal audit may also work in conjunction with the A-133 audit team or help the institution to coordinate other external reviews.

11

>Key Construction Activities

•

Internal Audit Overview

Internal Audit: Are They (We!) the Bad Guys?

• The “watchdogs” of the institution– Internal audit horror stories?

Or…

• A critical business function whose role is to support the institution in achieving its strategic goals

• A forward-looking, consultative function that helps the institution to anticipate and manage its risks proactively

– Internal audit success stories?

13

Beyond “Gotcha”: The Role of Internal Audit in Today’s Research Institution

14

Tactical Strategic

Reactive Proactive

Backward looking Forward looking

Focused on accounting Focused on the business

Singular focus on compliance

An appropriate complement of risk-based

and compliance-based auditing

“Gotcha” Helpful ally

How Can Internal Audit Have a Positive Impact?

At the Institution Level• Provide a comprehensive view of risk throughout the institution

• Help management and administrators make the most of limited resources

• Provide proactive advice for strengthening processes and controls

At the Department Level• Identify fraud, waste, or abuse in your department

• Help improve efficiency and compliance in your department

• Give you a voice to management

• Assist you in making difficult changes, such as implementing a new system

15

How Does Internal Audit Fit within the Organization?

• Audit Committee – This Board committee oversees the performance of the internal audit

function, approves the annual audit plan, and reviews the audit results

• Executive Leadership and Management– On a day-to-day basis, internal auditors report administratively to one or

more members of the institution’s executive leadership, such as a chief financial officer. Internal audit should work collaboratively with management on annual audit planning, and should share audit results with management before reporting to the audit committee

• Department– Each internal audit addresses the activities of one or more departments,

either an academic or functional area

• Process Owner– Internal auditors work with “process owners” to understand policies,

procedures, and internal controls at a detailed level

16

So, What Do They Do? – Examples of Common Internal Audit Engagements

• Financial Audits– Reviewing expenses incurred by a Principal Investigator to assess allowability

per federal or sponsor regulations

• Compliance Audits– Reviewing the institution’s cost sharing policy for compliance with federal

regulations and sponsor requirements

• Operational Audits– Reviewing the operations of the procurement department to validate that cost

effective and timely choices are being made

• Risk Assessments– Evaluating risks in a particular area of the organization (or institution-wide) to

identify areas of focus for audit testing (or the focus of the overall internal audit plan)

• Fraud Investigations– Examining an allegation of fraud made via the institution’s anonymous

whistleblower hotline

17

>Key Construction Activities

•

Making the Most of Your

Internal Audit Relationship

19

It’s Okay to Ask for Help

Audits don’t have to be an unwanted experience. Internal audit can also perform audits/reviews at the request of a department and even provide “consulting” services.

Some instances when you may want to reach out to internal audit include:

• When you suspect fraud or misuse of resources

• If you need to identify best practices and/or compare issues against the organization’s (or specific area’s) peer group

• When you suspect your internal controls are weak

• If your operations aren’t as efficient as they could be

How to Best Leverage Internal Audit to Help Your Department

• Give details and specifics of the issue, including hard evidence if available

• Be unbiased and objective; discuss the issue in terms of what’s best for the organization

• Explain potential outcomes from the current situation, and what could happen if it continued unabated

• Consider calling the anonymous hotline, especially if you worry about retribution

20

>Key Construction Activities

•

The Audit Process: Where You Fit In and Best Practices for Survival

But Really, What Do Auditors DO?The Audit Process

22

Phase 1 – Audit Planning

Determine the audit objectives, scope, timing, and resources necessary

to conduct the audit

Phase 2 – Preliminary Steps

Gather information about the process to be audited and assess the adequacy

of internal controls

Phase 3 – Fieldwork

Conduct interviews, test transactions, analyze the

results of testing, and formulate preliminary

observations and recommendations

Phase 4 – Reporting

Communicate the results of the audit to the auditee, management, and Audit

Committee

Phase 1: Audit Planning

During the first phase of an audit, the auditors are working to identify the most beneficial objectives and what related processes or controls to review. To determine this, auditors assess several factors, including:

• Risks within the identified audit area

• Regulatory or compliance requirements

• Changes in organizational leadership or processes

• Results of prior audits

23

Phase 1 – Audit

Planning

Phase 2 – Preliminary

Steps

Phase 3 – Fieldwork

Phase 4 – Reporting

Phase 1: Audit Planning – Where You Fit In and How to Survive

• Designate an audit liaison from your institution/department to work directly with the auditors

– Proactively share conflicts and timing constraints

• Educate the auditors about your institution/department in your own terms to ensure you are speaking the same language

• Educate yourself! Understand and use “audit lingo” to bridge any communication gaps

• Disclose known issues within the audit area

• Ask questions to understand why you were chosen for audit

• Ensure that institution leadership and general counsel are made aware of any sponsor or OIG audits

24

Phase 1 – Audit

Planning

Phase 2 – Preliminary

Steps

Phase 3 – Fieldwork

Phase 4 – Reporting

Phase 2: Preliminary Steps

Before controls can be tested, auditors first need to understand how various processes work and what controls are involved. This phase will include:

• Identifying and reviewing relevant organizational policies and procedures, laws and regulations, or research terms and conditions

• Discussing how processes are performed within the specific audit area (process “walkthroughs”)

• Creating flowcharts or other documents describing the process and identifying potential gaps or compliance concerns (and strengths!)

25

Phase 1 – Audit

Planning

Phase 2 – Preliminary

Steps

Phase 3 – Fieldwork

Phase 4 – Reporting

Phase 2: Preliminary Steps – Where You Fit In and How to Survive

• Illustrate your processes in a meaningful way– Use real life documents

– Invite the auditors to sit with you and observe while you perform your responsibilities

• Describe the department’s activities in such a way that the auditors will understand. Remember that auditors are not scientists!

• Ask to review a draft of any documentation that the auditors create of your processes and controls to make sure they get it right, before decisions are made

26

Phase 1 – Audit

Planning

Phase 2 – Preliminary

Steps

Phase 3 – Fieldwork

Phase 4 – Reporting

Phase 3: Fieldwork

Once auditors have a grasp on how processes and controls should be functioning within an area, steps are taken to “test” if controls are actually working as intended. Fieldwork steps may include:

• Transaction testing

• Employee interviews

• Data analytics

27

Phase 3: Fieldwork – Where You Fit In and How to Survive

• Confirm the need before providing documentation to avoid excessive document requests

• Organize the documentation you provide to the auditors. Ask a colleague to double-check the completeness, accuracy, and organization

• Schedule regular check-ins with the auditors to address their follow-up questions in a structured way

• Explore alternatives if the documentation requested is not readily available. Auditors are often willing to perform alternate procedures or accept another type of documentation. Be creative!

• Collaborate with the auditors to understand their preliminary findings before they start to write their report

28

Phase 4: Reporting

Most audits conclude with a written report of audit results, which detail any strengths, concerns (or “findings”), and recommendations resulting from the work performed. An audit finding should detail the:

• Condition (What is?)

• Criteria (What should be?)

• Cause (Why is there a difference?)

• Effect (What is the impact?)

• Recommendation (How can this be corrected?)

29

Phase 1 – Audit

Planning

Phase 2 – Preliminary

Steps

Phase 3 – Fieldwork

Phase 4 – Reporting

Phase 4: Reporting – Where You Fit In and How to Survive

• Encourage the auditors to allow you to review the draft report before it is shared beyond your level or department. Provide feedback on the draft in a timely manner

• Engage other institution leaders and/or general counsel if serious findings emerge.

• Urge the auditors to be practical when making recommendations. Speak up when you know a recommendation will be difficult to implement in your department

• Provide feedback to internal audit after the audit – remember that you are the client and they want to serve you better!

30

Phase 1 – Audit

Planning

Phase 2 – Preliminary

Steps

Phase 3 – Fieldwork

Phase 4 – Reporting

>Key Construction Activities

•

Withstanding Audits

Withstanding Audits:Be Prepared

• Review the agenda and ensure all records and personnel will be available

• Provide a quiet location for the auditor(s) to work

• Designate an audit liaison to interact regularly with auditor(s) and agree upon the frequency of checking in

• Have all documentation readily available

• Have personnel re-familiarize themselves with protocols and records

32

Withstanding Audits:Be Prepared

• Know and understand relevant regulations and guidance

• Seek training

• Review protocols and associated documents

• Learn from past visits and audits

33

Withstanding Audits:During the Audit

• Take notes

• Questions asked and answers given

• Documents requested and provided

• Discussions of complex issues

• Keep copies of documents provided

• Suggest a wrap-up at the end of each day to review outstanding items, questions, and any additional requests

34

Withstanding Audits:During the Audit

• Respond to questions asked with straightforward, honest, and complete answers

• Provide only requested information – don’t answer unasked questions as it may lead to unnecessary prodding

• Don’t debate – clarify misunderstanding with positive rather than negative statements

• Be professional at all times – auditors are always listening and observing

35

Withstanding Audits:Audit Completion

• Auditors should conduct an exit interview – key process owners and stakeholders should participate and observations and finding should be reviewed

• A report with observations and findings will be issued generally three to six weeks after the audit is completed

• Reponses to audits will usually be requested in writing along with a corrective action plan if necessary

• Written responses should be SMART

> Specific, Measurable, Attainable, Relevant, Time-bound

• Responses should also be clear and precise

36

© Baker Tilly Virchow Krause, LLPBaker Tilly refers to Baker Tilly Virchow Krause, LLP,

an independently owned and managed member of Baker Tilly International.

Questions & Comments

Raina Rose Tagle, CPA, CIA, CISAraina.rosetagle@bakertilly.com(703) 923-8251

Adrienne Larmett, MBAadrienne.larmett@bakertilly.com(703) 923-8134

www.bakertilly.com/higher-education