Institutions may also want to note that several of the elements of this compliance guidance are considered ``mitigating factors'' that must be considered as part of a formal debarment action by the Department.\4\
\4\ See 45 CFR 76.860(l), (n), (p), and (q).

C. Application of Compliance Program Guidance

There is no single ``best'' compliance program. Institutions may take differing approaches to how they rely upon internal audits in monitoring compliance issues, how they comprise their compliance committee, and whether they include compliance for research misconduct and human and animal subject protections as part of a single compliance program. Some institutions may already have a compliance program in place; others only now may be initiating such efforts.

Institutions may also have identified, through audits or internal inquiries, particular management concerns or areas of high risk that may call for
[[Page 71315]]
developing or refining compliance elements to address these areas.

OIG has identified three major potential risk areas for recipients of NIH research awards: (1) Time and effort reporting, (2) properly allocating charges to award projects, and (3) reporting of financial support from other sources. These risk areas, although not exhaustive of all potential risk areas, are discussed in greater detail in section II below.

The compliance measures adopted by an institution should be tailored to fit the unique environment of the institution (including its organizational structure, operations and resources, as well as prior enforcement experience). In short, OIG recommends that each institution should adapt the objectives and principles underlying the measures outlined in this guidance to its own particular circumstances. II. Risk Areas

As with previous OIG CPGs, in this section we highlight examples of risk areas to assist institutions in developing a compliance program. The identification of risk areas is an important aspect of formulating policies and procedures, developing a training and education program, and conducting internal monitoring and audits. This section addresses a few examples of risk areas for recipients of PHS research awards that have come to OIG's attention: (1) Time and effort reporting, (2) properly allocating charges to award projects, and (3) reporting of financial support from other sources. The areas identified in this section are in no way intended to be exhaustive of all potential risk areas. Institutions may identify other areas based on their own operations and experiences. As an example, subrecipient monitoring may be an important risk area for those institutions that rely heavily on their own grants and contracts to fulfill the purposes of a PHS award. A. Time and Effort Reporting

One critical compliance issue is the accurate reporting of research time and effort. Because the compensation for the personal services of researchersboth direct salary and fringe benefitsis typically a major cost of a project, it is critical that the portion of the researcher's compensation for particular research projects be accurately reported. One reason that we view time and effort reporting as a critical risk area is that many researchers have multiple responsibilitiessometimes involving teaching, research, and clinical workthat must be accurately measured and monitored. In the course of a researcher's workday, the separation between these areas of activity can sometimes be hard to discern, which heightens the need to have effective timekeeping systems.

For this reason, institutions need to be especially vigilant in accurately reporting the percentage of time devoted to projects. Accurate time and effort reporting systems are essential to ensure that PHS and other funding sources are properly charged for the activities of researchers. The failure to maintain accurate time and effort reporting may result in overcharges to funding sources and, in certain circumstances, could subject an institution to civil or criminal fraud investigations.

We are aware of situations in which researchers falsely report the amount of time they intend to devote to research projects. For example, it would be clearly improper for researchers in award applications to separately report to three awarding agencies that they intend to spend 50 percent of their time on each of the three awards. Some recent cases we have seen involved the ``commitment of effort'' by researchers wherein the Government believed that the institution failed to account properly for the clinical practice time of researchers, in addition to their academic and research time at the institution. As an example, it would be improper to report to NIH or another awarding agency that 70 percent of a researcher's time would be spent on an award when 50 percent of the researcher's time would be spent on clinical responsibilities.

For colleges and universities, the rules governing compensation for personal services, including payroll distributions, are contained in OMB Circular A21,\5\ Cost Principles for Educational Institutions, section J.10.\6\ Under section J.10 of OMB Circular A21, institutions must establish a system of payroll distribution and must usually maintain ``afterthefact Activity Reports'' or employ another method to report accurately the distribution of activity of employees. (See especially, section J.10, paragraphs b.(2)(a)(c)). The accuracy of these activity reports is critical for the awarding agency to understand the amount of research conducted under the award. More specific guidance is contained in the instructions to PHS Form 398, Application for a Public Health Service Grant,\7\ available at http://www.grants.nih.gov/grants/funding/phs398/phs398.html (``Definitions,'' definition of ``Institutional Base Salary''), and in the NIH Grants Policy Statement, Part I, Definitions, available at http://grants1.nih.gov/grants/policy/nihgps (``Glossary,'' definition of
``Institutional Base Salary,'' and Selected Items of Cost, ``Salaries and Wages'' and ``Payroll Distribution'').
\5\ For State and local governments, the rules governing compensation for personal services is contained in OMB Circular A 87, Cost Principles for State, Local and Indian Tribal Governments, Attachment B, Sec. 11. For nonprofit organizations, it is contained in OMB Circular A122, Cost Principles for NonProfit Organizations, Attachment B, paragraph 7. For hospitals, the rules are contained in 45 CFR part 74, Appendix E, Principles for Determining Costs Applicable to Research and Development under Grants and Contracts with Hospitals, Sec. IX, paragraph B.7. \6\ By regulation, OMB Circular A21 and the other cost principles are made applicable to recipients of Department awards. 45 CFR 74.27(a). The cost principles have also recently been codified in title 2 of the CFR.
\7\ The Public Health Service Grant Application, PHS Form 398, is being replaced with an electronic application form, the standard form 424 R&R. According to NIH, the new form will incorporate all the policies and definitions currently contained in the Form 398.

Another issue in reporting the commitment of effort to research projects is the accurate and consistent treatment of ``institutional base salary'' (IBS). IBS effectively serves as the denominator in calculating the proportion of an employee's activity that is allocated to particular Federal awards. While IBS typically includes only nonclinical work of employees, certain institutions include clinical work based on a more expansive definition of the ``institution'' for cost reporting purposes. For those institutions, it is critical that the clinical and nonclinical work activities of researchers are reported so that salary is correctly allocated among Federal and non Federal sources.\8\
\8\ NIH has recently expanded its guidelines addressing when institutions may include clinical practice compensation as part of institutional base salary. Among other tests, the compensation must be set by the institution, be paid through or at the direction of the institution, and be included and accounted for in the
institution's effort reporting and/or payroll distribution system. See Guidelines for Inclusion of Clinical Practice Compensation in Institutional Base Salary Charged to NIH Grants and Contracts, http://grants.nih.gov/grants/guide/noticefiles/NOTOD050061.html. B. Properly Allocating Charges to Award Projects

Research institutions commonly receive multiple awards for a single research area. It is essential that accounting systems properly separate the amount of funding from each funding source. Institutions must also be vigilant about clearly fraudulent practices such as principal investigators on different projects banking or trading award funds among themselves. The failure to account accurately for charges to various award projects can result in
[[Page 71316]]
significant disallowances or, in certain circumstances, could subject an institution to criminal or civil fraud investigations.

In one recent civil fraud action, an institution settled allegations by the Government that it made endofyear transfers of direct costs on various Federally funded research awards from overspent accounts to underspent accounts, with the purpose of maximizing its Federal reimbursement and, in some cases, avoiding the refunding of unused grant proceeds.

The general principles governing the allocation of costs are found in the appropriate sets of cost principles, such as OMB Circular A21 for colleges and universities. Among those principles in Circular A21 is the rule that a ``cost is allocable to a particular cost objective * * * if the goods or services involved are chargeable or assignable to such cost objective in accordance with relative benefits received or other equitable relationship.'' Circular, Sec. C.4.\9\ Additional guidance on the allocation of costs may be found in the NIH Grants Policy Statement, Part II, Cost Considerations, available at htttp:// grants1.nih.gov/grants/policy/nihgps. Also, the Departmental Appeals Board has jurisdiction over cost allocation and rate disputes, as well as more generally over direct, discretionary grants, including biomedical research grants from NIH. (The Board's process is described in 45 CFR part 16.) Several Board decisions address the proper allocation of costs by colleges and universities.\10\
\9\ For State and local governments, a similar principle governing the allocation of costs is contained in OMB Circular A87, Cost Principles for State, Local and Indian Tribal Governments, Attachment A, Sec. C.3. For nonprofit organizations, it is contained at OMB Circular A122, Cost Principles for NonProfit Organizations, Sec. A.4. For hospitals, the principle is contained in 45 CFR Part 74, Appendix E, Principles for Determining Costs Applicable to Research and Development under Grants and Contracts with Hospitals, Sec. III, D.
\10\ Board decisions may be found on the Board's Web site at http://www.hhs.gov/dab/search.html, as well as with legal information services such as Westlaw and Lexis.

As with other administrative requirements governing Federal awards, the improper allocation of charges to various sources is not a mere ``accounting problem,'' in the sense that it has no real impact on the conduct of science. On the contrary, the failure to allocate correctly chargeswhether because of poor recordkeeping or as part of an intent to deceive funding sourceshas the effect of drawing away limited Federal research funds from projects for which they were intended and subverting the Government's ability to distribute funds to those projects most in need of support.

C. Reporting Financial Support From Other Sources

As with the proper reporting of time and effort and the allocation of charges, the reporting of financial support from other sources is critical for the awarding agency to understand the commitment of resources by the grantee to a particular project or award. Without complete and accurate information on other funding sources, PHS may be unable to determine whether a particular project should be funded and the amount of such funding. In some cases, failure to identify other support for a research project could cause PHS to provide duplicate funding to the project. At a minimum, information on other support would allow PHS to use its limited resources on other worthy projects that might otherwise be left unfunded.

For PHS awards, the reporting of other financial support is a required element of award applications and the failure to provide this information could, in certain, subject an institution to a criminal or civil fraud investigation. Other funding support is required to be reported as part of the application for funding (PHS Form 398), the instructions for which state that the applicant organization must disclose all compensation and salary support. (See PHS 398 Rev. 9/2004, Sec. III.H (``Other Support'') available at http://www.grants.nih.gov/grants/funding/phs398/PolAssurDef.doc. ) Moreover, the face page of the
PHS application includes a certification by both the Principal Investigator/Program Director and by the Applicant Organization that all statements in the application are ``true, complete, and accurate to the best of my knowledge'' and that ``false, fictitious, or fraudulent statements or claims could subject me to criminal, civil, or administrative penalties.'' (The face page is available at http://www.grants.nih.gov/grants/funding/phs398/fp1.doc. ) Additional guidance
for NIH grants is found in the NIH Grants Policy Statement, Part II, JustinTime Procedures, available at http://grants1.nih.gov/grants/policy/nihgps .

A problem related to the failure to accurately and completely report support from other financial sources is the charging of both award funds and Medicare and other health care insurers for performing the same service. This is clearly improper and has subjected institutions to fraud investigations.
III. Compliance Program Elements

A. The Basic Compliance Elements

At a minimum, a comprehensive compliance program should include the following elements:
(1) The development and distribution of written standards of conduct, as well as written policies and procedures, that reflect the institution's commitment to compliance.
(2) The designation of a compliance officer and a compliance committee charged with the responsibility for developing, operating, and monitoring the compliance program, and with authority to report directly to the head of the organization, such as the president and/or the board of regents in the case of a university.
(3) The development and implementation of regular, effective education and training programs for all affected employees. (4) The creation and maintenance of an effective line of communication between the compliance officer and all employees, including a process (such as a hotline or other reporting system) to receive complaints or questions that are addressed in a timely and meaningful way, and the adoption of procedures to protect the anonymity of complainants and to protect whistleblowers from retaliation. (5) The clear definition of roles and responsibilities within the institution's organization and ensuring the effective assignment of oversight responsibilities.
(6) The use of audits and/or other risk evaluation techniques to monitor compliance and identify problem areas.
(7) The enforcement of appropriate disciplinary action against employees or contractors who have violated institutional policies, procedures, and/or applicable Federal requirements for the use of Federal research dollars, and
(8) The development of policies and procedures for the investigation of identified instances of noncompliance or misconduct. These should include directions regarding the prompt and proper response to detected offenses, such as the initiation of appropriate corrective action and preventive measures.

B. Written Policies and Procedures

In developing a compliance program, every institution should develop and distribute written policies and procedures addressing compliance with Federal award requirements. These policies and procedures should be developed under the direction and supervision of the compliance officer, the compliance committee, and relevant institution officials. They should also be
[[Page 71317]]
reviewed at regular intervals to ensure that they are current and relevant.

At a minimum, the policies and procedures should be provided to all faculty members and other employees who are affected by them, to students who may be conducting research with Federal awards, and to any agents or contractors who may furnish services in connection with Federal research awards. The policies and procedures should be easily found and accessible, such as, for example, on the institution's Internet or intranet site. Since institutions also typically maintain policies and procedures governing other compliance issues, including conflicts of interest, human subject research, and the maintenance and reporting of research data, they may choose to compile these various policies and procedures on a single Internet or intranet site.

In addition to a clear statement of detailed and substantive policies and procedures, OIG recommends that institutions that receive PHS research awards develop a general institutional statement of ethical and compliance principles that will guide the institution's operations. One common expression of this statement of principles is the code of conduct. The code should function in the same fashion as a constitution, i.e., as a document that details the fundamental principles, values, and framework for action within an organization. The code of conduct for research institutions should articulate the institution's expectations of commitment to compliance by management, employees, and agents, and should summarize the broad ethical and legal principles under which the institutions must operate. Unlike the more detailed policies and procedures, the code of conduct should be brief and cover general principles applicable to all employees.

OIG strongly encourages the participation and involvement, as appropriate, of senior management of the institution, such as the board of regents and president, as well as other personnel from various levels of the organizational structure, in the development of all aspects of the compliance program, especially the code of conduct. Management and employee involvement in this process communicates a strong and explicit commitment by management to foster compliance with applicable program requirements. It also communicates the need for all employees to comply with the organization's code of conduct and policies and procedures.
C. Designation of a Compliance Officer and a Compliance Committee 1. Compliance Officer

Every research institution should designate a compliance officer who will have daytoday responsibility for overseeing and coordinating the compliance program. For smaller institutions, the compliance officer responsibilities might be added to other management responsibilities, or, for very large institutions, there could be several compliance officers who would have responsibility for different major activities of the institution. However, designating a compliance officer with the appropriate level of authority is critical to the success of the program. Optimally, the officer should report directly to the institution's president and should have direct access to the board of regents or other governing body, senior administration officials, and legal counsel. For very large institutions, if it is not possible to report directly to the president, the officer should report to the provost or official with similar highlevel responsibility for the oversight of research administration. The compliance officer should have sufficient funding, resources, and staff to perform his or her responsibilities fully.

The compliance officer's primary responsibilities should include:

The compliance officer must have the authority to review all documents and other information relevant to compliance activities. This review authority should enable the compliance officer to determine whether the institution is in compliance with PHS or other Federal program requirements. Where appropriate, the compliance officer should seek the advice of competent legal counsel about these matters. 2. Compliance Committee

OIG recommends that a compliance committee be established to advise the compliance officer and assist in the implementation of the compliance program.\12\ If structured appropriately, the committee can provide the compliance officer with contacts in various parts of the institution and the names of individuals who possess subject matter expertise. If the
[[Page 71318]]
institution employs individuals who already have responsibility for compliance in various subject areas, for example biosafety or care and use of animals, these individuals would be obvious candidates for the compliance committee.
\12\ The compliance committee benefits from having the perspectives of individuals with varying responsibilities and areas of knowledge in the organization, such as operations, finance, audit, human resources, and legal, as well as faculty members. The compliance officer should be an integral member of the committee. All committee members should have the requisite seniority and comprehensive experience within their respective areas to recommend and implement any necessary changes to policies and procedures.

When developing an appropriate team of people to serve as the compliance committee, the institution should also consider including individuals with a variety of skills and personality traits as team members. The institution should expect its compliance committee members and compliance officer to demonstrate integrity, good judgment, assertiveness, and an approachable demeanor, while eliciting the respect and trust of employees. These interpersonal skills are as important as the professional experience of the compliance officer and each member of the compliance committee. Examples of individuals that the institution might consider as members of the compliance committee include institutional ombudsman staff and alternative dispute resolution staff.

Once an institution chooses the members of the compliance committee, the institution needs to train these individuals on the policies and procedures of the compliance program, as well as how to discharge their duties. In essence, the compliance committee should function as an extension of the compliance officer and provide the organization with increased oversight.

D. Conducting Effective Training

The training of appropriate administrators, both at the institution and department levels, faculty (including principal investigators), other staff, and contractors on award administration and other program requirements is an important element of an effective compliance program. The focus of the training and its level of detail will depend on the particular needs of the institution. In addition to training sessions, the institution may also undertake other educational efforts, such as disseminating publications that explain specific requirements in a practical manner. In developing training programs, it may be helpful to involve faculty, such as principal investigators, who will be receiving the training. This will allow these individuals to offer their insights, encourage more enthusiastic participation in the training sessions, and promote buyin with the compliance program.

An institution should provide general training sessions that cover such issues as ethical standards and the institution's commitment to compliance issues. All employees, and where feasible and appropriate contractors, should receive the general training. General training should include the contents of the institution's compliance program, such as the role of the compliance officer and committee and the availability of an anonymous complaint mechanism. It should include both a description of the many types of compliance issues that administrators, faculty and other employees may need to address in the course of their careers, and the sources of guidance in resolving those issues.

More specific training programs would be designed for more specialized audiences. For example, administrative personnel who manage award funding should receive detailed training on Federal cost principles and grant administration regulations and policies. Employees who are involved with clinical research should receive training on the protection of human subjects, the Institutional Review Board process, and the responsible conduct of research. Administration officers and other key staff can assist in identifying additional specialized areas for training. Areas of training may also be identified through internal audits and monitoring and from a review of any past compliance problems.

Training instructors may come from outside or inside the organization, but must be qualified to present the subject matter involved and sufficiently experienced in the issues presented to adequately field questions and coordinate discussions among those being trained. Ideally, training instructors should be available for follow up questions after the formal training session has been conducted.

General and specific training sessions should be provided both upon initial employment with the institution as well as on some periodic schedule, depending on the needs of the audience. Specialized training should be provided on a more frequent basis, perhaps annually or more frequently.

One technique to consider for training is to report actual examples of compliance problems at the institution or at other institutions, typically without any identifying information. This may serve to educate staff on these issues the institution considers important, how the compliance process works, and the actions that can be taken against individuals for more serious problems.

An institution may wish to vary the manner of training, both for general and specific training. Inperson training sessions may be more effective than other types of training and are usually important for initial training sessions for new employees or when employees have changed their job responsibilities. However, followup training may be provided in other formats, such as through videotaped presentations or webbased training in which participants certify that they have completed the training curriculum. If videos or computerbased programs are used for compliance training, OIG suggests that the institution make a qualified individual available to field questions from trainees.

The compliance officer should maintain records of all formal training undertaken by the institution as part of the compliance program. This should include attendance logs, descriptions of the training sessions, and copies of the material distributed at training sessions. Depending on need, an institution may require that employees receive a minimum number of educational hours per year, as appropriate, as part of their employment responsibilities.

The institution needs to establish a mechanism to ensure that employees receive the training they need. Training could be made a condition of continued employment and failure to comply with training requirements could result in disciplinary action. Adherence to the training requirements as well as other provisions of the compliance program should be a factor in the annual evaluation of each employee. E. Developing Effective Lines of Communication

1. Access to Supervisors and/or the Compliance Officer

For a compliance program to work, employees must be able to ask questions and report problems. University officials, department chairpersons or other supervisors play a key role in responding to employee concerns and it is appropriate that they serve as a first line of communication. Research institutions should consider the adoption of opendoor policies to foster dialogue between management and employees. To encourage communications, confidentiality and nonretaliation policies should also be developed and distributed to all employees.

Open lines of communication between the compliance officer and employees are equally important to the successful implementation of a compliance program. In addition to serving as a contact point for reporting problems and initiating appropriate responsive action, the compliance officer should be viewed as someone to whom personnel can go for clarification on the institution's policies.
[[Page 71319]]

2. Hotlines and Other Forms of Communication

OIG encourages the use of hotlines, emails, newsletters, suggestion boxes, and other forms of information exchange to maintain open lines of communication. In addition, an effective employee exit interview program could be designed to solicit information from departing employees regarding potential misconduct and suspected violations of the institution's policies and procedures. Institution officials may also identify areas of risk or concern through periodic surveys.

If an institution establishes a hotline or other reporting mechanism, information regarding how to access the reporting mechanism should be made readily available to all employees and contractors by including that information in the code of conduct or by circulating the information (e.g., by publishing the hotline number or email address on wallet cards) or conspicuously posting the information in common work areas.\13\ Employees should be permitted to report matters on an anonymous basis.
\13\ Institutions might also choose to post in a prominent area the HHSOIG Hotline telephone number, 18004478477 (1800HHS

TIPS).

For the reporting mechanism to maintain credibility, it is important that the institution's review of the allegations be meaningful and that prompt and appropriate followup be conducted. Reported matters that suggest substantial violations of Federal program requirements should be documented and investigated promptly to determine their veracity and the scope and cause of any underlying problem. The compliance officer should maintain a thorough record of such complaints as well as any investigation, its results, and any remedial or disciplinary action taken. The institution may wish to provide such information, redacted of individual identifiers, to the institution's senior management, such as the board of regents and the president, and to the compliance committee.

F. Auditing and Monitoring

Auditing of an institution's operations and activities is a critical internal control mechanism. Under the Single Audit Act of 1984 (Pub. L. 98502), as amended, all institutions that expend $500,000 or more in Federal assistance are required to have a single audit of the ``nonFederal entity,'' which must be conducted in accordance with generally accepted Government auditing standards. (31 U.S.C. 7502, OMB Circular A133.) Major institutions typically also have an annual financial statement audit, often conducted by the same firm that conducts its single audit, for the purpose of expressing an opinion as to the fairness of the information contained in the financial statements for the institution.

In addition to the mandated single audit and the financial statement audit, institutions should consider having additional performance audits, focused on particular areas of activity. Internal auditors may already be performing such audits, although an external auditor may in some cases be able to provide a greater level of independence in this work or should be considered when there is a particular problem or risk area that needs attention. Whether audits of compliance with Federal program requirements are performed by internal or external auditors, they should follow generally accepted Government auditing standards, published by the Government Accountability Office as ``Government Auditing Standards,'' known as the ``Yellow Book.''

Institutions should consider conducting risk assessments to determine where to devote audit resources, such as for separate performance audits, and may wish to consider the risk areas we identified above in section II. Risk assessments could be coordinated by the compliance officer. The institution's disclosure statement under OMB Circular A21if it is required to submit onemay already include identification of risk areas. The A133 audit itself may also identify risk areas or the program agencies may identify risk areas based on their review of the A133 audit.

An effective compliance program should also incorporate thorough monitoring of its implementation and an ongoing evaluation process. The compliance officer should document this ongoing monitoring, including reports of suspected noncompliance, and provide these assessments to the institution's senior management and the compliance committee. The extent and frequency of the compliance audits may differ depending on variables such as the institution's available resources, prior history of noncompliance, and the risk factors particular to the institution. The nature of the reviews may also vary and could include a prospective systemic review of the institution's processes, protocols, and practices, or a retrospective review of actual practices in a particular area.

Although many assessment techniques are available, it is often effective to engage internal or external evaluators who have relevant expertise to perform regular compliance reviews. The reviews should focus on those divisions or departments of the institution that have substantive involvement with or impact on Federal programs and on the risk areas identified in this guidance. The reviews should also evaluate the policies and procedures regarding other areas of concern identified by OIG and Federal and State law enforcement agencies. Specifically, the reviews should evaluate whether: (1) The institution has policies covering the identified risk areas, (2) the policies were implemented and communicated, and (3) the policies were followed. G. Enforcing Standards Through WellPublicized Disciplinary Guidelines

An effective compliance program should include clear and specific disciplinary policies that set out the consequences of violating Federal or State requirements, the institution's code of conduct, or its policies and procedures. Any research institution should consistently undertake appropriate disciplinary action across the institution for the disciplinary policy to have the required deterrent effect. Intentional and material noncompliance should not be tolerated and should subject transgressors to significant sanctions. Such sanctions could range from oral warnings to suspension, termination or other sanctions, as appropriate. Disciplinary action also may be appropriate when a responsible employee's failure to detect a violation is attributable to his or her negligence or reckless conduct. Each situation must be considered on a casebycase basis, taking into account all relevant factors, to determine the appropriate response. H. Responding to Detected Problems and Developing Corrective Action Initiatives

1. Violations and Investigations

Violation of an institution's compliance program, failure to comply with applicable Federal or State law, and other types of misconduct threaten the institution's reputation in the scientific and research community. Consequently, upon receipt of reasonable indications of suspected noncompliance, it is important that the compliance officer or other officials immediately investigate the allegations to determine whether a material violation of applicable law or the requirements of the compliance program has occurred and, if so, take decisive [[Page 71320]]
steps to correct the problem.\14\ The exact nature and level of thoroughness of the investigation will vary according to the circumstances, but the review should be detailed enough to identify the cause of the problem. As appropriate, the investigation may include a corrective action plan, an assessment of internal controls, a report and repayment to the Government, and/or a referral to law enforcement authorities or regulatory bodies.
\14\ Instances of noncompliance must be determined on a caseby case basis. The existence or amount of a monetary loss to PHS or other Federal programs is not solely determinative of whether the conduct should be investigated and reported to governmental authorities. In fact, there may be instances where there is no readily identifiable monetary loss, but corrective actions are still necessary to protect the integrity of the program.

2. Reporting

Where the compliance officer, compliance committee, or member of the institution's administration discovers credible evidence of misconduct from any source and, after a reasonable inquiry, believes that the conduct may violate criminal, civil, or administrative law, the institution should promptly report the existence of misconduct to the appropriate authorities within a reasonable period, but not more than 60 days, after determining that there is credible evidence of a violation. This includes the reporting of criminal or civil misconduct to Federal and State authorities,\15\ or, for example, in the case of research misconduct to the appropriate institutional body or to the Department's Office of Research Integrity. Prompt voluntary reporting will demonstrate the institution's good faith and willingness to work with governmental authorities to correct and remedy the problem. In addition, reporting such conduct may be considered a mitigating factor by the responsible law enforcement or regulatory office, including OIG. \15\ Appropriate Federal authorities include OIG, the Criminal and Civil Divisions of the Department of Justice, the U.S. Attorney in the institution's district, and the Federal Bureau of
Investigation. State authorities may include the appropriate division of the State Attorney General's office or, if separate from the Attorney General, the District Attorney or other criminal prosecutive office.

When reporting to the Government, an institution should provide all information relevant to the alleged violation of applicable Federal or State law(s) and the potential financial or other impact of the alleged violation. The compliance officer, under advice of counsel and with guidance from the governmental authorities, could be requested to continue to investigate the reported violation. Once the investigation is completed, and especially if the investigation ultimately reveals that criminal, civil or administrative violations have occurred, the compliance officer should notify the appropriate authorities of the outcome of the investigation.
I. Establishing Roles and Responsibilities and Assigning Oversight Responsibility

It is especially important that roles and responsibilities regarding the use of PHS research awards be clearly defined and understood. Defining roles and responsibilities promotes accountability and is essential to the overall internal control structure of the institution.

Institutions should clearly delineate the responsibilities of all persons involved with the conduct of federally supported research, including both administration or department personnel with oversight responsibility as well as principal investigators and other personnel who are engaged in research.

Under PHS regulations, it is typically the institution itself that qualifies as the ``responsible legal entity'' for grant compliance purposes. (See 42 CFR 52.2 (definition of ``Grantee'').) Clearly defining roles and responsibilities can assist institutions in fulfilling their legal responsibility to comply with Department requirements, removing any uncertainty as to the precise responsibility of all individuals involved in the research enterprise. It can also assist individuals in defending against allegations that they recklessly disregarded award requirements.

Roles and responsibilities for each position should be clearly communicated and accessible. Including roles and responsibilities in the institution's written policies and procedures and in its formal training and education program could accomplish this objective. IV. Conclusion

The growth in Federal funding for scientific research over the past decade has prompted a need for more effective compliance by recipient institutions. Many institutions have recognized this need and have developed formal compliance programs. We believe that all research institutions would benefit from compliance programs that, if effectively implemented, would foster a culture of compliance that begins at the administration or management level and permeates throughout the organization. The purpose of this voluntary guidance is to offer a ``checklist'' of items that we believe is critical for refining or developing an effective compliance program. While the guidance focuses on award administration, adopting the principles and standards in the guidance would benefit other activities that are subject to Government regulation, including human subject research, ethics, and the responsible conduct of science.

Dated: November 21, 2005.
Daniel R. Levinson,
Inspector General.

Appendix A

Association of American Medical Colleges, Protecting Subjects, Preserving Trust, Promoting Progress: Policy and Guidelines for the Oversight of Individual Financial Interests in Human Subjects Research (December 2001).

Association of American Medical Colleges, Protecting Subjects, Preserving Trust, Promoting Progress: Principles and Recommendations for the Oversight of Individual Financial Interests in Human Subjects Research II (October 2002).

Council on Governmental Relations, Managing Externally Funded Research Programs: A Guide to Effective Management Practices (June 2005), available at http://www.cogr.edu/docs.

Grant, Geoffrey, et al., Creating Effective Research Compliance Programs in Academic Institutions, 74 American Medicine 9 (September 1999).

Kenney, Jr., Robert J., ``Dual Compensation'' and ``Separate Compensation'' Arrangements in the Wake of the Northwestern University Settlement, 14 Research Management Review 1 (Spring 2004).

Murphy, Diane E., The Federal Sentencing Guidelines for Organizations: A Decade of Promoting Compliance and Ethics, 87 Iowa L. Rev. 697 (January 2002).

National Council of University Research Administrators (NCURA), A Guide to Managing Federal Grants for Colleges and Universities, available at http://www.ncura.edu/publications/aispub.htm.

National Institutes of Health, Office of Extramural Research, Proactive Compliance Site Visits FY 2000FY 2002: A Compendium of Findings and Observations (2002).

Steinberg, Nisan A., Regulation of Scientific Misconduct in Federally Funded Research, 10 S. Cal. Interdisc. L.J. 39 (Fall 2000).

Walsh, Barbara E., et al., The Compliance Umbrella, Business Officer 18 (January 2000).

Walsh, Barbara E., et al., A Model Operating Process, Business Officer 42 (March 2000).
[FR Doc. E56548 Filed 112505; 8:45 am]
BILLING CODE 415201P

FOR FURTHER INFORMATION CONTACT

Richard B. Stern, Office of Counsel to the Inspector General, (202) 6190335, or Joel Schaer, Office of External Affairs, (202) 6190089.