Summary

The National Institutes of Health (NIH), an agency of the Department of Health and Human Services (HHS), is the primary federal agency for supporting medical research. The Office of the Director (OD) is the central NIH office responsible for setting policy and overseeing NIH's 27 institutes and centers (IC). Allegations involving one institute raised questions about areas of oversight by the OD. In light of these questions, GAO examined (1) how NIH makes extramural research funding decisions and OD monitoring of this process, (2) the design of selected internal controls over NIH's travel and personnel appointment processes, and (3) the design of NIH's new risk management program and the program it is replacing. To address these objectives, GAO reviewed relevant NIH policies, procedures, and supporting documentation. GAO also selected 3 institutes that varied in size for in-depth reviews.

NIH is required by law to make its extramural research funding decisions--funding provided to scientists external to NIH such as those at universities--using a dual peer review system. During the first level, initial peer review groups assess applications and assign a score to them based on their scientific merit. During the second level, advisory councils review the applications and their scores and, on the basis of this review, recommend to the ICs certain applications for funding consideration. IC directors can use their discretion and choose to fund applications based on factors in addition to scientific merit, "skipping" over applications with higher scores or making "exceptions" to fund applications with lower scores. GAO found that in fiscal year 2007, IC directors funded about 19 percent of NIH's applications for a common type of grant based on factors in addition to scientific merit. However, the NIH OD does not monitor the extent to which IC directors use such discretion when making extramural funding decisions--an action that would be consistent with federal internal control standards. The NIH OD has established policies and procedures that incorporate key internal controls into the travel and personnel appointment processes. For example, the processes require multiple levels of review and approval. However, there is not an NIH-wide process for risk-based monitoring of the effectiveness of controls. Without monitoring actual implementation of controls based on assessed risk levels, NIH does not have adequate assurance that controls are operating as intended within those areas that have been identified as posing risks to the agency's ability to achieve its mission. NIH's Management Control Program, a risk management program updated in 2004, did not comprehensively address risks to the agency's overall operations and resulted in a lack of sufficient information for effective oversight and agencywide risk management. Recognizing this, in 2006, NIH began designing a new risk management program, the Enterprise Risk Management Program. Although an improvement over the earlier program, the design of the new program does not fully address the components identified in GAO's framework for effective risk management. For example, the design does not incorporate strategic goals and objectives as a precondition for risk management, the evaluation of alternative responses to address identified risks, or documentation of the rationale for selecting a risk response. Further, NIH's new program is not yet fully implemented, despite an over 3-year effort. According to NIH officials, NIH has experienced delays because of a change in contractors, balancing staff resources with competing demands, and underestimating time needed for implementation.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Recommendations for Executive Action