Guidelines for external audits, inquiries, inspections and unannounced visits
Background and Purpose
Inquiries, information gathering and audits by federal or state government agencies or other external agencies are common at universities and do not necessarily mean that Washington University in St. Louis or any of its faculty or staff are being targeted or are being accused of having acted improperly or in noncompliance with laws, rules or regulations.
The purposes of this guideline are twofold:
- to provide guidance and assistance to university personnel whose areas are being audited, and
- to ensure that personnel in the applicable university area-specific compliance offices, the University Compliance Office, and the Office of the Executive Vice Chancellor & General Counsel are promptly informed of audit requests or unannounced visits so that they may coordinate the university’s approach and response to such audits as needed.
This guideline is not intended to apply to:
- Audits where the auditors are hired by the university to perform audits or consulting services.
- Regularly scheduled clinical trial monitoring visits conducted by industry sponsors.
External auditors are generally expected to contact the appropriate central university offices indicated below to announce audits or inspections, or to request information for such. However, it is possible that initial notifications by auditors or inspectors might be received by individual schools, departments, administrative support areas or members of faculty or staff.
It is the practice of Washington University reasonably to cooperate with all legitimate and appropriate inquiries from government authorities and other external agencies. However, laws and regulations and their enforcement are often complex, and the university may also need to act to protect personal health and financial information, institutional and third-party proprietary information, and other individual and institutional interests. Therefore, any contact by a government auditor or other third party auditor, whether by email, letter, telephone, fax, personal visit or other method, should be reported at once to the appropriate area-specific compliance office, and copies of any written documentation received by any faculty, staff or administrative personnel should also be promptly forwarded to the area-specific compliance office. (See listing of area-specific compliance offices immediately below.)
Area-specific compliance offices are those that have expertise in a particular compliance area and include:
- Animal Studies (314) 362-3229; Veterinary Care (314) 362-3700
- Environmental Health & Safety (314) 362-6816
- Export Trade Controls (314) 362-9071
- HIPAA (314) 747-0865
- Human Research Protection Office (HRPO) (314) 633-7400
- Human Resources (314) 935-5969
- Physician Billing Compliance Office (Medicare, Medicaid, RAC audits, etc.) (314) 747-7660
- Research Administration (including research integrity, human subjects, conflict of interest, export controls, Office of Sponsored Research Services) (314) 747-6253
- Resource Management, (314) 935-5727
- Sponsored Projects Accounting (financial audits of grants and research agreements) (314) 935-7089
- Student Financial Aid (314) 935-5765
- University Tax or Accounting matters (314) 935-9853
The area-specific compliance offices shall then promptly notify the University Compliance Office and the Office of the Executive Vice Chancellor & General Counsel.
If external auditors/inspectors or university personnel who receive audit notifications are unsure which office is the appropriate area-specific compliance office, they should promptly contact the University Compliance Office at (314) 362-4915 for assistance.
Audit Protocol after Notification of the Audit/Inspection
In connection with a formal third-party audit, the auditor or inspector should submit a formal written engagement letter to the area-specific compliance office or the University Compliance Office, which includes:
- Scope of the audit
- Period under audit
- Requestor (agency)
- Reason for the audit
- Lead auditor name and contact information
- Requested start date for audit, desk audit or fieldwork
- Any requests for data to be prepared in advance
The area-specific compliance office listed above will schedule an entrance conference when appropriate, and will name a university “lead” for the audit, in consultation with the University Compliance Office and the Office of the Executive Vice Chancellor & General Counsel. The university lead and other significantly affected area-specific compliance office, school, departmental and university representatives may be in attendance at any opening audit conference. Both the university and external auditors or inspectors must be aware that the meeting is intended as an entrance conference. In lieu of a meeting, the entrance conference may also occur by phone if all parties agree.
At formal entrance conferences, university personnel and the external auditors or inspectors will usually discuss the following issues, at a minimum. For other types of reviews, similar topics should also be covered.
- Audit personnel who will be involved in the project, including contact details and work schedule
- Timing of the audit – estimated start and anticipated completion dates
- Interviews with faculty/staff, if applicable
- Any necessary information security agreements, authorizations and/or protocols
- Type of deliverable/report
- The university’s opportunity to review or comment on the contents of the deliverable
- Office space and parking and travel requirements for the auditors or inspectors
Depending on the complexity and length of the audit, weekly status meetings or phone conferences may be scheduled.
All requests for information should be submitted in writing to the university lead and must include the date the information is needed. If the request is somewhat informal, the auditor/inspector may call the university lead; however, the university may still require the request be followed up in writing. The university will inform the auditors/inspectors if audit requests will take additional time.
A university representative should accompany auditors/inspectors on all visits, interviews, or meetings with faculty and/or staff, including walk-throughs of university buildings and space. The auditors/inspectors will contact the university lead to facilitate this process. The university may also require that a representative(s) from its Office of the Executive Vice Chancellor & General Counsel and/or the University Compliance Office attend any of the visits, interviews or meetings deemed necessary.
Requests for data downloads/reports may take more than one day. Every effort should be made to provide the university with at least two business days to respond to a request for downloads/reports.
Potential findings from all audits and inspections, including FDA site visits, should be communicated to the university lead and the University Compliance Office as soon as possible throughout the audit.
The university lead should be made aware immediately of any known changes in audit deadlines that will impact the university.
If the auditors/inspectors encounter any delays from the university or have a concern about turnaround times and/or responsiveness of university staff, they should make either the university lead or the University Compliance Office aware of this concern immediately.
Upon notification of completion of field work or data collection from the auditors/inspectors, the university lead should schedule an exit conference with the auditors/inspectors and appropriate university personnel. This meeting may be held over the telephone if all parties agree. There should be no surprises at the exit conference, i.e., if the protocol is followed, all issues/concerns/findings will have been discussed prior to the exit conference, but at the very latest, the exit conference should flush out all issues before the auditors complete their field work or data collection work.
The area-specific compliance office should seek advice from the University Compliance Office and the Office of the Executive Vice Chancellor & General Counsel regarding all formal audit/inspection responses on behalf of the University before they are submitted.
Search Warrants or Subpoenas
The above general rules may not apply in the case of search warrants or subpoenas. In those situations, please refer to the Office of the Executive Vice Chancellor & General Counsel’s separate guidance.
Unannounced Visits or Calls to Workplace or Home
If an auditor, inspector or federal agent arrives unannounced at a university faculty or staff member’s home or calls and requests to speak to him/her immediately regarding university business, the university faculty or staff member has the right to speak to the auditor/inspector/federal agent, but is not required to do so. University personnel have the right to decline to speak to an auditor/inspector/federal agent or to postpone the interview until they have had an opportunity to seek guidance from the university’s Office of Executive Vice Chancellor & General Counsel or their own legal counsel.
If an auditor, inspector or federal agent arrives unannounced at a university office or facility and requests to speak him/her immediately, the university faculty or staff member with authority over that area should ask the auditor/inspector/federal agent to wait in a comfortable public or secure location and should postpone any substantive interview until university personnel have had an opportunity to seek guidance from the University Compliance Office, area-specific compliance office, and the university’s Office of Executive Vice Chancellor & General Counsel.
Anyone receiving an unannounced contact or visit should obtain as much information as possible from the auditor, inspector or federal agent, such as their names, agency or other affiliation and the intent of the audit and promptly contact the offices listed in the above two points for guidance on next steps.
Auditors, inspectors and federal agents should at all times be treated respectfully, but should not be given access to university documents, personnel or facilities until the guidance is received.
Questions or concerns regarding this guideline may be directed to the University Compliance Office at (314) 362-4915.
Adopted: December 4, 2009
By: University Compliance Office with approval of the Office of the Executive Vice Chancellor and General Counsel