Office of Internal Audit Fiscal Year 2017 - Quarter 2

Washington State University

WSU Internal Audit Status Report FY 2017, Q2 January 26, 2017 Page 1 of 3

Office of Internal Audit Fiscal Year 2017 - Quarter 2 Status Report

October 1, 2016 through December 31, 2016 Internal Audit engages in three primary activities – assurance audits, advisory services and investigations. The focus of our efforts is to assist management in the proper discharge of their duties by providing evaluation and feedback of internal control systems and operations. This quarterly report includes updates on the status of the current fiscal year audit plan and reports and activities from prior periods completed in the current period.

FY 2017 Audit Activity From FY 2017 Plan Status Completion of FY 2017 Audit Plan Continuous Audits - various E C – Completed 0% Employee Recruitment E E – Engaged 46% Conflict of Interest – Research N N – Not yet engaged 54% IT Inventories (software/device) E Student Fin. Services - Eligibility E Investigations – completed to date 1 Athletics Ticket Receipting N Investigations – pending 5 IT Account Access N Investigations – closed in prelim 0 Housing E FY 2017 Investigations 6 Extension N Grant/Program Administration N Internal Advisories 84 Spokane Teaching Health Clinic N Intellectual Property N Shared Leave E External Auditor Scope Status WA Ethics Board Investigation – WB Referral (FY 16) Engaged State Auditor (SAO) FY 2016 University Financial Statement – contract Complete State Auditor (SAO) Performance Audit – (2ESHB 2376) Engaged CliftonLarsonAllen FY 2016 Auxiliary Financial Statement – contract Engaged 3rd Party Vendor - MF Vendor-initiated Software License Review Engaged

Projects completed in the reporting period: Project Audit/Project Name Opinion Rating/Conclusion I 17-01 Diversity Tech: Misuse of Travel Card Substantiated P 15-07 Select Agent Program Some Improvement Needed



Internal Audit’s Quality Assurance and Improvement Program In accordance with Institute of Internal Audit (IIA) Standard 1000 the purpose, authority and responsibility of the internal audit activity is defined in an approved internal audit charter that goes through periodic review. The following revisions were made to the charter and approved on November 8, 2016:

• Update language to communicate the mandatory nature of IIA guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing

• Clarification of Chief Audit Executive’s role and duties as the University’s Ethics Advisor • Provided for input from the Finance and Compliance Committee regarding any changes

to the CAE appointment and removal Internal Audit has solicited assistance from peers to engage the WSU IA Quality Assurance Review (QAR). The QAR will be performed by a team of two audit leaders from peer institutions of higher education in summer 2017 with a goal reporting date of November 16, 2017. Audit Resources

For the first half of Fiscal Year 2017, engagement of auditor effort continues to align with expectations for about 70% dedicated to planned audits. Audit team includes CAE, Audit Manager, Senior IT Auditor, three staff auditors, an administrative assistant and an intern.

Current audit resources and competencies are sufficient to engage annual audit plan of activities.

Audit Support Activity includes: developing and enhancing audit tools and methodologies including for review of management monitoring activities and annual audit planning

Advisory/Facilitation includes: advisory services (84% - ethics, system guidance, policy review, participation in university committees or ad hoc groups, providing training on controls), external audit liaison (16%)

IA CAE participated as a team member in the QAR of University of Idaho in November. This time was allocated as audit support given the benefits the effort will provide towards IA’s own QAR.

7%

19%

2%

72%

Allocation of Effort

Audit Support Activity Advisory/Facilitation

Investigation Planned Audit



Completed Reports Summary

Investigations I 17-01, Diversity Technician – Misuse of Travel Card Summary Internal Audit received referral asserting that an administrative employee misused his University travel card for personal purchases and did not make full payment of balance as required. Assertion was substantiated. At the time of investigation, the travel card had been cancelled by the issuing bank for nonpayment and employee was in arrears $1,881. Personal use of the card was confirmed. These results were communicated to management with recommendations to coordinate with Human Resource Services on personnel/corrective action and to ensure the employee coordinates with Payroll Services and Travel Services for the balance to be paid in full or deducted in reasonable amounts from the employee’s pay until paid in full. Planned Audits P 15-07, Select Agent Programs Summary This audit was included in the FY 2015 audit plan. Audit procedures had been delayed due to conflicts with timing of external inspection parties and internal resource availability. The audit subject matter is highly sensitive and audit procedures were carefully designed to ensure no unintentional breach of information or access to secured substances. The audit was non-technical in nature and evaluated administrative controls over security and incident response plans, physical and technological security of data and inventories, and compliance with oversight agency requirements for governance and management of the Program. We reviewed internal and external inspection activities – these were occurring as required and did not identify exceptions with regard to identification, registration, security and tracking of select agents and toxins. We did note opportunities for improvement in clarifying roles and responsibilities and controls over data and records.

January 13, 2017

Dr. Christopher Keane Vice President for Research WSU Office of Research Lighty Svc 280 Pullman, Washington 99164-1060

Dear Dr. Keane:

Following is the final report for our audit of the Washington State University Select Agents Program. Management’s response has been included in the report. We concur with the actions planned or already implemented.

In accordance with management’s estimated correction dates, we will perform follow-up activity to determine whether the corrective actions have been implemented and achieve the desired effect.

We appreciate the cooperation and assistance provided by your staff during this review. Please let me know if we can be of further service.

Sincerely,

Heather Lopez Chief Audit Executive, Internal Audit

cc: Dr. Kirk Schulz, President Dr. Daniel Bernardo, Provost Mike Kluzik, Director, Office of Research Assurances Levi O’Loughlin, Biological Safety Officer Danielle Hess, Division Chief, AAG Deborah Pennick, Audit Manager, SAO Team Pullman

Office of Internal Audit

Planned Audit of Select Agents Program, P 15-07 January 13, 2017

P 15-07 Page 2 of 23

TABLE OF CONTENTS

EXECUTIVE SUMMARY ............................................................................................................. 3

BACKGROUND ........................................................................................................................ 6

SCOPE and AUDIT METHODOLOGY .......................................................................................... 8

ISSUES, RECOMMENDATIONS and MANAGEMENT RESPONSES .................................................... 9

CRITERIA .............................................................................................................................. 21

AUDIT STANDARDS .............................................................................................................. 22

AUDIT TEAM INFORMATION .................................................................................................. 22

APPENDIX A – RISK RATING ................................................................................................... 23



P 15-07 Page 3 of 23

EXECUTIVE SUMMARY The audit of the Select Agents Program (SAP or Program), also known as Select Agents and Toxins (SAs or SATs), was included in the Fiscal Year 2015 Audit Plan as a result of risk assessment. Select agents and toxins are substances that have the potential to pose substantial harm or severe threat to human, animal or plant health. Federal regulations require entities that possess biological agents and toxins to register with designated federal agencies and demonstrate compliance with specific safety and institutional & personnel security standards for handling these agents. Washington State University possesses several select biological agents in more than one location as part of its research enterprise activities. In accordance with federal regulations governing select agent programs, a single Responsible Official (RO) has been designated with responsibility to act on behalf of WSU to ensure compliance with the regulations. The RO is Vice President for Research, Dr. Christopher Keane. We performed tests of internal controls to provide reasonable assurance that:

1. Responsibility for management of the Select Agent Program (SAP) has been appropriately assigned.

2. The identification, registration and tracking of select agents and toxins is occurring and performed timely.

3. Security, Biosafety and Incident Response Plans have been developed and implemented as required.

Due to the highly sensitive nature of the subject matter and because the SAP is heavily regulated and regularly audited, with senior management’s concurrence, as related to audit objective 2, we adjusted our audit methodology so as not to have direct contact with the substances or the inventory records. Internal inspections are conducted annually by the ORA Director/ARO and Biosafety Officer in coordination with Principal Investigators (PIs). Announced and unannounced external inspections are conducted by AHPHIS/CDC. We reviewed and relied upon the record of the internal and external inspections and related correspondences to evaluate whether the processes in place were adequate to meet federal requirements. Relevant to our audit objectives, no exceptions were noted with regard to the identification, registration and tracking of select agents and toxins.

For all other tests, to meet the other objectives we performed tests onsite and did not remove any SAP records or data from the secure facilities. We believe the procedures as performed (and



P 15-07 Page 4 of 23

further defined in Scope and Audit Methodology) were sufficient to meet the audit objectives and evaluate adequacy of internal controls.

Conclusion Overall, we concluded that internal controls are adequate to ensure objectives are met. In general, the SAP is in compliance with significant regulations tested; internal and external inspections have determined the identification, registration and tracking of select agents and toxins is occurring as required, and safety and response plans are in place. In addition, physical security at the locations where select agents are used, stored, or planned to be used or stored is secure. We found some improvement is needed in areas associated with the audit objectives including controls as related to responsibilities and authorizations for the SAP, security and management of both physical and electronic records containing select agent data, and monitoring of updates to public-facing information pertaining to the select agent program. Detailed descriptions of the following audit observations, our recommendations and management's responses are provided within this report:

1. Authorizations and Responsibility 1.1 There was a period of four and a half months with no acknowledgement from the

agency of new RO assignment. 1.2 An individual without Security Risk Assessment (SRA) approval has been permitted

access to select agent data files. 1.3 RO/ARO position descriptions are not specific to their roles in the Select Agent

Program. 1.4 Public directories and web pages are not clear, or correct, as to who is the RO and

ARO.

2. Document/Access Management and Security 2.1 Information technology resources that process, store or transmit select agent

information have control weaknesses that increase the likelihood that the confidentiality, integrity or availability of sensitive data could be compromised.

2.2 Document retention policies need to be clarified. 2.3 Document destruction process for SAP documents is not adequate. 2.4 Deactivation documentation for individuals leaving the Program needs improvement.

Maintaining compliance with the highly regulated SAP is important to supporting the University’s research initiatives. While tests have shown security plans and individual risk assessments are



P 15-07 Page 5 of 23

being performed as required, we encourage periodic holistic assessments of administrative oversight of the program to ensure appropriate processes are implemented and adequate resources are deployed to mitigate safety and compliance risks.



P 15-07 Page 6 of 23

BACKGROUND Select agents and toxins are substances listed in the Code of Federal Regulations (CFR) which have the potential to pose a severe threat to public, animal or plant health, or to animal or plant products. The Federal Select Agents Program (FSAP) oversees the possession, use and transfer of biological select agents and toxins. FSAP is jointly comprised of the Centers for Disease Control and Prevention’s (CDC) Division of Select Agents and Toxins and the U.S. Department of Agriculture’s (USDA) Animal and Plant Health Inspection Service (APHIS) and Agriculture Select Agent Services (AgSAS). To implement a robust oversight program over select agents and toxins, the FSAP issued the Select Agent Regulations (7 C.F.R. Part 331, 9 C.F.R. Part 121 and 42 C.F.R. Part 73). The Department of Human and Health Services (HHS) promulgates regulations requiring entities to register with the CDC if they possess, use or transfer a select agent or toxin that can pose a risk to human health, and result in a zoonotic disease. The U.S. Department of Agriculture (USDA) promulgates regulations requiring entities to register with APHIS if they possess, use or transfer a select agent or toxin that poses an environmental or agricultural threat. The CDC and APHIS coordinate regulatory activities for those entities that would be regulated by both agencies if they possess “overlap” select agents. The FSAP administers the select agents and toxins regulations in close coordination with the Federal Bureau of Investigation’s (FBIs) Criminal Justice Information Services (CJIS). In short, there are multiple federal regulations and federal agencies engaged at some level and at various process points as related to select agents and toxins. One of the fundamental elements of SAP regulations is biosecurity, to keep SAs and toxins out of the possession of individuals who might intend to misuse them, such as bioterrorists. The SAP regulations also provide for strong biosafety and containment measures to reduce the risk of exposure leading to health and safety concerns. Non-compliance with SAP regulations can lead to audit findings, fines, reputational damage and lack of adequate safety protocols. Violations could result in suspension or revocation of the entity’s certificate of registration, thus rendering the institution unable to conduct research with select agents and toxins. Other violations could result in monetary penalties for individuals and the entity, and imprisonment of violators. Lack of adherence to required safety protocols could be catastrophic and could result in creating an immediate danger to human, animal and plant health. Each entity with an SAP program has a designated Responsible Official (RO) who acts as the point of contact between the employing entity and all federal agencies in administering the Program.



P 15-07 Page 7 of 23

The RO plays a key role in ensuring continuous compliance. In his or her absence, a designated and approved Alternate RO (ARO) takes on the day-to-day responsibilities of the RO on a temporary basis. WSU’s RO is the Vice President of Research. The ARO is the Director of Office of Research Assurances. The University has applied for a second alternate - the Biological Safety Officer. Any researcher or PI who possesses a select agent or toxin (SAT), or wishes to initiate studies with SATs, must first declare his or her intentions to the RO/ARO. The RO/ARO, on behalf of the entity, will work with the PI to complete and submit the application to the required agency or agencies – usually to APHIS or CDC. Registration will only be valid for the specific SATs identified, the particular activities and locations where work will be conducted, and the specific individuals approved to handle and use the regulated materials. The RO must submit any changes to the original registration, such as new individuals, agents or locations. All individuals working with or having access to select agents or toxins must have an approved Security Risk Assessment (SRA - a background check performed by the Department of Justice). An entity may not provide any individual access to a select agent or toxin unless the DHHS or USDA Secretaries, based on the SRA, have approved the individual. Select agents may only be transferred to registered entities and either the APHIS or CDC must authorize all transfers of select agents prior to transfer. PIs and WSU must implement a safety plan commensurate with the risk to public, animal and plant health, posed by the biological agent or toxin. The requirements will vary based on the hazard and the quantities handled. Also, a security plan must be developed and implemented that addresses the security of areas that contain select agents and toxins. The security plan must address threat assessments; examining vulnerabilities and risks associated with those vulnerabilities. Specific components of the plan must include:

1. Select agent and toxin inventory control procedures 2. Provisions for securing the area, such as card access, keypads, locks and access to

containers where materials are stored 4. Procedures for loss or compromise of keys, passwords and combinations 5. Procedures for loss, theft, alteration of inventory records, or release of agents or toxins 6. Measures to escort and monitor individuals not approved by a security risk assessment,

but who may have access to select agents (e.g., custodial staff, maintenance staff and visitors)



P 15-07 Page 8 of 23

WSU, as a registered entity, must maintain:

• An up-to-date list of individuals who are approved to handle and use select agents and toxins

• An accurate, current inventory of each select agent and toxin (name, characteristics, quantity and disposition)

• Inspection records • Security, biosafety and incident response plans • Training records • Transfer documents and permits

In accordance with WSU lab safety policy SPPM 4.20.5, the Biological Safety Officer (BSO) develops, directs, provides training and manages the WSU biological safety program in compliance with federal, state and institutional guidelines and serves as a biosafety resource to the Institutional Biosafety Committee (IBC), Institutional Animal Care and Use Committee (IACUC), University Health & Safety (UH&S), Institutional Review Board (IRB), Environmental Health and Safety (EH&S) and Facilities Services, Operations. The BSO also provides advice and consultation to incident commanders (WSU Police Department and/or local police and fire services) during emergency responses. Per SPPM 4.20.4, the Vice President for Research or representative and the Senior Associate Vice President for Finance and Administration or representative are jointly responsible to review the biological safety policy at least once a year and report University activity, as required, to federal and state agencies and ensure compliance with applicable regulations and guidelines from federal, state and local agencies. SCOPE and AUDIT METHODOLOGY The scope of our audit was to review the Select Agent Program at WSU, as it existed Fiscal Year 2015 through September 2016. Internal Auditors did not request or obtain SRA approval, therefore SAT inventory records were not physically reviewed by our Office. Audit fieldwork took place between August 26, 2016 and December 16, 2016. During the course of the audit, we visited facilities holding select agents and records related to the SAP. While onsite, we reviewed internal and external inspection records, findings and corrective action plans, and follow-up documentation. Personnel records, policies, certifications, relevant training affidavits and training material were also reviewed. Security, safety and incident response plans were reviewed as well as results of drills and tests of plans and related risk assessments. We



P 15-07 Page 9 of 23

interviewed the RO, ARO, BSO, PIs and lab manager to identify and evaluate internal controls and operating procedures in effect at the time of audit fieldwork. We reviewed documentation processed during Fiscal Year 2015 to the audit fieldwork date in the following key areas:

• RO Responsibility • Security, Biosafety and Incident Response Plans • Identification, Registration and Tracking of SATs

ISSUES, RECOMMENDATIONS and MANAGEMENT RESPONSES The following lists the areas of concern presented to management. Each issue represents a condition, error or internal control weakness identified during the audit that may have a negative impact on the University’s or unit’s assets, financial information, and/or ability to comply with laws and regulations or University policies and procedures. For each individual issue, we prepared a recommendation to address the situation and requested management’s plan for corrective action and a timeline for implementation. We will follow up with management to determine whether corrective action has been implemented in the timeline established.

1. Authorizations and Responsibility 2. Document/Access Management and Security

1. Authorizations and Responsibility Each registered entity that possesses, uses or transfers Select Agents and Toxins (SATs) is required to designate an individual as their Responsible Official (RO) and submit that person's name to the Federal Select Agent Program (FSAP) for approval. The RO plays a key role to ensure that his or her entity is in compliance with the select agent regulations and serves as the main point of contact for all select agent registration, reporting and compliance issues. There can only be one RO at a registered entity at any given time and there should be no gaps between RO designations. Audit objective 1 was to evaluate internal controls to ensure ‘Responsibility for management of Select Agent and Toxins (SATs) program has been appropriately assigned.’ Related to the



P 15-07 Page 10 of 23

objective, we tested internal controls in place to ensure adherence to FSAP requirements for designating an RO and an Alternate RO. We reviewed mission statements, website data, unit and function policies, organization charts, position descriptions, budgets and budget authority, and interviewed key employees. In reviewing assigned responsibilities, we relied upon Section 9CFR Part 121 to determine if adequate authority and responsibility have been assigned. Based on our testing we noted the following issues:

1.1 There was a period of four and a half months with no acknowledgement from the agency of a new RO assignment.

Per the Responsible Official Guidance Document provided by APHIS/CDC, when there is an anticipated change in RO assignment, a registered entity must submit the appropriate sections of APHIS/CDC Form 1 as early as possible for approval of the new RO. It is a requirement of the select agent regulations for a registered entity to have an RO approved by the FSAP at all times. In the absence of the RO, a previously appointed and approved Alternate RO may assume the RO’s responsibility and have the authority to act on behalf of the registered entity on a short-term, temporary basis. This designation should be clear and the ARO must be able and willing to assume the full range of responsibilities of the RO. Prior to the current RO, WSU has successfully transitioned from one RO to the next by following similar processes. In one case, the ARO requested the change in ROs and in the other instance the RO self-appointed himself and completed Form 1. In each case, the application was accepted by the agency and new ROs were assigned. The most recent change in ROs occurred during the summer of 2014 when Dr. Christopher Keane was appointed as the new VP for the Office of Research, effective July 1, 2014. Similar to previous processes, Dr. Keane submitted Form 1 to USDA-APHIS along with a cover letter on July 8, 2014 to appoint himself as the new RO, as he was assuming the role of RO from Dr. Nancy Magnuson. USDA-APHIS denied this request, stating that an RO cannot self-appoint and when possible, the departing RO should send an amendment to appoint his or her successor. In cases where the RO has already left the entity, the new RO must be appointed by an owner, controller or person of authority at the entity. A new letter dated October 28, 2014, signed by President Floyd, was submitted and requested appointment of the RO with a retroactive effective date of July 1, 2014. On November 25, 2014, the University received notice that USDA-APHIS received documentation from WSU dated October 28, 2014 and as a result of their review of the initial amendment request and as modified by subsequent documents,



P 15-07 Page 11 of 23

they authorized WSU to conduct the activities described in the amendment and to amend the entity registration to remove the RO and appoint a new person to this position. An entity’s RO must have passed a security risk assessment conducted by the Federal Bureau of Investigation (FBI), Criminal Justice Information Services (CJIS) and be approved by the Federal Select Agent Program. Dr. Keane’s SRA was not approved until September 4, 2014. The newly appointed RO did not have access to select agents during this time but should not have been designated as RO until the SRA was completed. According to the RO Guidance Document, in the event that an RO vacates the assignment before a replacement is found, the ARO assumes the position and responsibilities of the RO either permanently or temporarily until a replacement is selected by the entity or the RO assumes full duties. During this time, an interim-RO was not officially assigned but the entity did have two AROs on staff.

Condition: During the period of July 1 through November 25, 2014, WSU did not have confirmation that the agency accepted the assignment of the new RO. First request to assign a new RO did not occur until July 8, 2014. RO was not SRA approved until September 4, 2014. The entity did have two SRA-approved AROs on record. Cause: Processes previously followed for RO transitions were no longer acceptable by the agency. Processes for monitoring governance of the Select Agent Program and authorization requirements were not adequate. Designation and approval of authorizations should occur timely for any change in senior management. Such changes should be anticipated by the entity.

Recommendation Management Response We recommend that WSU institute a formal transition process for changes in RO/ARO designations factoring the long security and approval process times. If transitions are anticipated, leadership should evaluate formally designating an ARO as temporary RO or appointing another SRA and FSAP approved position in the short-term to ensure no gaps in leadership and responsibility.

Language will be proposed for inclusion in the Safety Policies and Procedures Manual (SPPM) 4.20 “Biological and Select Agent Safety Policy” addressing the recommendation prior to February 28, 2017.



P 15-07 Page 12 of 23

1.2 An individual without SRA approval has been permitted access to select agent data files. An RO may delegate authority to an ARO or others in the program for a wide range of duties. However, regardless of delegation only individuals with SRA approval may have access to designated select agents and select agent data. The WSU SAP set up an exchange server group email to be used for distribution of emails to members of the WSU SAP. This email is an inbound-only account meaning messages only come in to this account and can’t be sent back out. Also, the individuals assigned to receive emails from this account are the only ones to receive the emails and they receive the emails all at the same time as received in the group email and subsequently distributed to their individual WSU email exchange accounts. This account is used to receive confidential emails from APHIS/CDC pertaining to communication on the program. We reviewed access to the secured group email account and noted that in addition to the RO and the two AROs, the RO’s assistant is included in the group. The assistant has not had a Security Risk Assessment (SRA), yet some of the email exchanges include sensitive information that should only be viewed by those with SRA approval.

Condition: Employee without SRA approval has access to select agent data and records via group email. There is potential for less stringent security of email contents resulting in greater exposure to lost data. Cause: The SAP did not interpret the SRA requirements to extend to the assistant given her access is reduced to data and communications.

Recommendation Management Response Per the FSAP Security FAQs, anyone including IT personnel who will have access to a select agent or toxin, direct or otherwise will need to have an SRA and be listed on the entity’s APHIS/CDC Form 1. We recommend the SAP clarify with regulating agencies whether SRA requirements extend to employees only with access to data and communications and update policies and practice accordingly.

Language will be proposed for review by the agency addressing the recommendation prior to February 28, 2017. Upon response from the agency, we will implement their recommendations into our policies and practice accordingly. Please note that the response from the agency will also influence recommendations 2.1-2.3.



P 15-07 Page 13 of 23

1.3 RO/ARO position descriptions are not specific as to their roles in the Select Agent Program.

The position description is a University document that defines individual employee’s roles and responsibilities, expected workload and effort. Properly defined roles and responsibilities provide clear guidelines for position evaluation and enable greater accountability. Relative to SAP, clearly defined position descriptions also help demonstrate WSU’s efforts in meeting the RO/ARO responsibility and dedication of effort towards FSAP compliance. We reviewed position descriptions to determine if responsibilities were clearly defined. For the RO, the position description does not state his designation as RO and percentage of time expected to dedicate towards administering the SAP at WSU. For the first ARO, the position description also does not state a percentage allocation of job responsibilities as it relates to the SAP. The first ARO is currently involved in a number of roles and is the primary contact for most Office of Research Assurance (ORA) functions. The Program applied to FSAP to appoint a second ARO (the BSO). The second ARO has been performing annual inspections of the labs and inventory. The RO and first ARO have not assigned any decision-making responsibilities to the second ARO. A review of the second ARO’s position description identified an estimated 25% of effort towards SAP. Although the roles and responsibilities have been defined and are being carried out, the unit has yet to receive confirmation from FSAP that the second ARO is approved in that position. The second ARO was included in the FSAP listserv and therefore the assumption was made that FSAP acknowledged him as an ARO. Although being included on the listserv and receiving communication from FSAP is a strong indicator that the second ARO has been approved it does not replace direct confirmation. In the event of an unannounced inspection by the Agency, when both the RO and first ARO are absent, the University would be unable to demonstrate that the second ARO is approved. It has been noted through interviews with several key employees that confirmation information from FSAP is slow or not forthcoming.

Condition: The lack of substantive information pertaining to roles, responsibilities and effort for the SAP program within position descriptions makes it difficult to affirm the University’s intent to meet FSAP dedication of effort requirements and expectations.

Cause: Position descriptions have not been reviewed and updated according to assigned roles. The performance evaluation process should incorporate evaluation and assessment of position description to actual expectation to determine if any modifications are required.



P 15-07 Page 14 of 23

Recommendation Management Response Evaluation of position descriptions against program requirements and assigned duties and responsibilities should be an essential component of the annual performance evaluation process. We recommend the SAP evaluate workload and responsibilities within the context of the Program and work with Human Resource Services to update position descriptions accordingly.

Language will be proposed to HRS for inclusion in position descriptions to address the recommendations for AROs prior to February 28, 2017 and for the RO prior to March 31, 2017.

SAP should aggressively pursue confirmation from Agency regarding the second ARO’s approval as ARO and maintain record of that confirmation.

Although there have been numerous requests since the initial February 5, 2016 amendment to add a second ARO, an additional request was made on January 10, 2017 to confirm the recommendation and we will continue to request confirmation monthly until we receive notice.

1.4 Public directories and web pages are not clear, or correct, as to who is the RO and ARO. During audit planning we noted several areas on public websites where information was not current as related to the SAP and responsible officials. Some of the information was retracted and/or updated by the time of audit fieldwork, however there remained some incorrect information on the public-interface, including:

• Directory information does not specify what positions at the University serve as RO and ARO

• A Q&A has an inaccurate representation of roles in that it defines the RO as the point of contact with regulating agencies then names the ORA Director as the point of contact

• There are links to old sites with outdated information (trainings and directories dating to 2003)

The SAP does not have a dedicated document control specialist to help monitor websites, manage documents to ensure accuracy, quality and integrity, adhere to records retention policies, and ensure deadlines pertaining to training, renewals etc. are met. The department has noted plans to recruit appropriate individuals in its overall plan for improvement.



P 15-07 Page 15 of 23

Condition: Outdated and incorrect information is presented on websites related to SAP responsible parties. Outdated information on websites or old sites that are not disabled can provide misleading information to users or regulators. Cause: The department has not established monitoring and management processes for sites with public data.

Recommendation Management Response We recommend the department evaluate what information about the SAP should be presented in public-facing documents or sites and develop a program for monitoring and managing the content of that information and its delivery. Monitoring efforts could include implementing a schedule of periodic review.

At a minimum, any links to old sites should be removed and old sites disabled so as not to provide misleading information to users or regulators.

A request to edit all website links identified by the auditors was submitted on January 4, 2017. A search for additional public-facing documents will be conducted with a forthcoming request to edit identified content prior to February 28, 2017. Monitoring website content will be added into future annual program reviews.



P 15-07 Page 16 of 23

2. Document/Access Management and Security Entities with a select agent program are required to develop and implement a written security plan. The security plan must be sufficient to safeguard the Select Agents against unauthorized access, theft, loss or release. The security plan must be designed according to a site-specific risk assessment and must provide graded protection in accordance with the risk of the select agent or toxin, given its intended use. The security plan must describe procedures for physical security, inventory control and information systems control, control of access to SATs, provisions for routine cleaning, maintenance and repairs and describe procedures for addressing loss or compromise of keys, passwords, combinations, etc. and contain protocols for changing access numbers or locks following staff changes. Per BPPM 90.15.1 on Essential Records Protection, each University Department is responsible for identifying and protecting records needed in an emergency and for the reestablishment of normal operations after the emergency. Essential records enable a department to resume operations after a disaster or emergency. Once the essential records are identified, security site storage must be chosen. Per EP#8, University data shall be safeguarded to ensure its confidentiality, integrity, reliability and availability. Non-public University data should be protected from disclosure in the event of loss using such practices as device locks or data encryption. Non-public University data must be protected during network transmission according to practices such as secure transport mechanisms or data encryption. At WSU, Vice President for Research is the Data Steward and the Director, ORSO is the data custodian for research data. Audit objective 2 was to evaluate internal controls to ensure ‘Security, Biosafety and Incident Response Plans have been developed and implemented as required.’ Related to the objective, we reviewed the implemented plans, the processes for assessing risk and results of internal and external inspections. Based on our testing we noted the following issues:

2.1 Information technology resources that process, store or transmit select agent information

have control weaknesses that increase the likelihood that the confidentiality, integrity or availability of the sensitive data could be compromised.

Most program-related papers and communications from FSAP are kept on each of the RO/ARO/BSO’s University provided work computers in the form of email attachments or as separate documents on their local machines. The servers are encrypted. Backup data is maintained on an encrypted flash drive and accessed from network machines. During fieldwork, we observed that at times individuals leave their machines unattended for brief



P 15-07 Page 17 of 23

amounts of time, putting University data at risk. Further, records required for audit and relevant to support the security plans, inspections or other audit-related areas were not all available for review given they were on different local machines and some could not be located. In the event of an unannounced external inspection, the Program could be at risk of findings if unable to timely and completely produce required support.

Condition: Although devices in use are encrypted, sensitive data is stored on local systems increasing risk of data and information pertinent to the select agent program being compromised, lost or insufficiently retained for internal purposes (renewals/reporting) or public records requests. Cause: The SAP policy is not clear as to location requirements for all SAP data and by type.

Recommendation Management Response We recommend the Program reevaluate the risks associated with data and documents relevant to the SAP program and develop a stronger security protocol for storage of related documents. Management should document the decision process, including any risk assessments and tests of the possible solutions evaluated per BPPM 90.01.

A stronger protocol, and a best practice, may include required use of a secure, central server and implementation of automated processes to force storage of sensitive data to the properly secured network storage area.

We will include Select Agent record storage guidelines and criteria in the WSU Select Agent Security plan prior to May 31, 2017.

2.2 Document retention policies need clarified. The SA regulations indicate a period of three years for retention of select agent documents. Per BPPM 90.01.1 on University Records - Retention and Disposition, departments are responsible for retaining and disposing of University records in accordance with retention



P 15-07 Page 18 of 23

periods approved by the Washington State Records Committee (RCW 40.14). The Office of Procedures, Records and Forms coordinates the records management program and assists departments with records retention and disposition. The Director of Procedures, Records and Forms is the WSU Records Officer. If the department has a unique records series title not included on the All-University Schedule, the department's records coordinator is to contact the WSU Records Officer to obtain a draft records retention schedule. If the records are no longer regularly accessed, departments should move the records from active files in file cabinets or computers to inactive storage locations.

Condition: In the absence of a retention schedule, there is no guidance for processing program documents or identifying which documents should be retained for the regulated period (3 years) or for different periods. This may create risk in that records may be held longer than required or not long enough.

Cause: The unit has not produced a department retention schedule.

Recommendation Management Response We recommend management evaluate and collaborate with Procedures, Records and Forms to develop a records retention policy as it relates to SAP documentation.

We will include Select Agent record retention guidelines and criteria in the WSU Select Agent Security plan prior to May 31, 2017.

2.3 Document destruction process for SAP documents is not adequate. Per BPPM 80.80 on Recycling of Confidential Material, any material containing confidential information must be shredded. Confidential records include records that are exempt from public disclosure, including research data (RCW 42.56.270). Generally records are destroyed by shredding. Departments may shred records with a departmentally-owned shredder, hire a private shredding company or have the records shredded by WSU Waste Management. Confidential records in non-paper media (e.g., CDs, DVDs, and hard drives) must be made illegible prior to disposal. Such media must be physically destroyed or digital records must be securely deleted with a suitable software program. Any electronic destruction method must include at least a three-pass binary overwrite. The SAP maintains SA inventory logs in both paper form and in electronic form that are stored by the PIs in the safe in the BSL3 labs. Likewise, there are SAP related documents residing on RO/ARO/BSO's local machines and in email form. The process of disposition of these records is to delete all email and digital copies and dispose of all paper documents in the University-



P 15-07 Page 19 of 23

provided and managed confidential data destruction bins. Electronic records are not being deleted with a minimum three-pass binary overwrite. The University-provided confidential bins are simply a garbage bin with a small slot in the lid and the lid is locked by padlock. The confidential bins are picked up by central Waste Management when full and taken by truck to a central disposal site.

Condition: The process of disposing of confidential documents is not adequate to ensure complete destruction. There is risk with the confidential bins that loose papers may be removed from the bin or come out during transit or disposal. Cause: The method of record disposal and risks associated with alternate methods is not adequately addressed in the risk assessment used to develop the security plan.

Recommendation Management Response We recommend the SAP evaluate various options for disposal of confidential records and ensure the method deployed for SA records affords the same level of security as living documents. The risk assessment should be documented and policies for disposal be implemented and monitored.

We will include Select Agent record disposition guidelines and criteria in the WSU Select Agent Security plan prior to May 31, 2017.

2.4 Deactivation documentation for individuals leaving the Program needs improvement. Per BPPM 60.74.1 on Employee Departure Procedures, when an employee resigns, retires, dies or is otherwise separated from employment at the University, the employing department is responsible for ensuring that all applicable personnel, payroll, computing, financial, facility, property and safety-related procedures are completed. In order to facilitate this process, departments are to document the completion of required items, either by using the Departure Checklist or a departmental checkout document.

In the event a researcher wants to leave the SAP, he informs the PI. The PI in turn informs the program Executive Director, the RO and the ARO. The process is not always in writing. The exit process involves deactivating the swipe card and changing the pin access code. Although the Security Plan delineates the deactivation process for the researcher, staff and IT personnel, currently there is no written record of a formal process and no log or retention of such record.



P 15-07 Page 20 of 23

Condition: The existing exit procedures are documented but the execution of the deactivation procedures and who completes the process needs to be better documented. As the program grows, best practice is to have procedures delineating individual access to the program and maintaining a record for proof of such access and removal of access. Cause: The Program does not document departure and deactivation processes.

Recommendation Management Response We recommend that management evaluate and develop procedures to document the assignment and deactivation of individual access to the SAP and document such access and maintain the records based on the retention schedule. Management may refer to Human Resource Services Departure checklists as an example. An exit checklist for SAP should include considering at a minimum access removal from physical facilities (keys and key cards turned in/turned off), access removal from servers and machines (management of access set by group policy), records or data permitted to be removed (and certification only permitted information removed and by what means), authorizations updated, including notice to FSAP and other regulating bodies, and directories updated.

An exit checklist will be implemented prior to February 28, 2017.



P 15-07 Page 21 of 23

CRITERIA During the course of our review we referred to the following rules, regulations and/or policies: WSU Policy WSU/ORA/Biosafety - SAT WSU/ORA/Biosafety - Training - Emergency Response SPPM 4.20 - Biological and Select Agent Safety Policy SPPM 4.22 - Biological Safety Cabinets SPPM 5.40 - Transport and Shipment of Hazardous Materials and Dangerous Goods SPPM 9.80 - Radiation Safety Incident and Emergency Response BPPM 20.77 - Contaminated Surplus Property BPPM 30.59 – Emergency Planning and Preparedness BPPM 60.74 - Employee Departure Procedures BPPM 90.01 - University Records - Retention and Disposition BPPM 90.05 - Release of Public Records (Confidential Research Data) EP 8 – University Data Policies EP 29 - Electronic Communication Policy Federal Regulations and Guidelines 42 CFR Part 73 - Public Health 7 CFR Part 331 - Agriculture 9 CFR Part 121 - Animals and Animal Products Public Law 107-188 on Bioterrorism preparedness & response act Responsible Official Guidance Document 7 CFR §331.11, 9 CFR §121.11 and 42 CFR §73.11

http://www.bio-safety.wsu.edu/biosafety/toxins.asp

http://www.bio-safety.wsu.edu/biosafety/web_training.asp

http://old-www.wsu.edu/manuals_forms/HTML/SPPM/4_Laboratory_Safety/4.20_Biological_and_Select_Agent_Safety_Policy.htm

http://old-www.wsu.edu/manuals_forms/HTML/SPPM/4_Laboratory_Safety/4.22_Biological_Safety_Cabinets.htm

http://old-www.wsu.edu/forms2/ALTPDF/SPPM/5-40.pdf

http://old-www.wsu.edu/manuals_forms/PDF/SPPM/9-80.pdf

http://public.wsu.edu/%7Eforms/HTML/BPPM/20_Property/20.77_Contaminated_Surplus_Property.htm

http://public.wsu.edu/%7Eforms/HTML/BPPM/50_Safety_and_Security/50.39_Emergency_Planning_and_Preparedness.htm

http://public.wsu.edu/%7Eforms/HTML/BPPM/60_Personnel/60.74_Employee_Departure_Procedures.htm

http://public.wsu.edu/%7Eforms/PDF/BPPM/90-01.pdf

http://public.wsu.edu/%7Eforms/HTML/BPPM/90_Records/90.05_Release_of_Public_Records.htm

http://public.wsu.edu/%7Eforms/HTML/EPM/EP8_University_Data_Policies.htm

http://public.wsu.edu/%7Eforms/HTML/EPM/EP4_Electronic_Communication_Policy.htm

http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title42/42cfr73_main_02.tpl



http://www.gpo.gov/fdsys/pkg/PLAW-107publ188/pdf/PLAW-107publ188.pdf

https://www.selectagents.gov/guidance-responsible.html

Office of Internal Audit Planned Audit of Select Agents Program, P 15-07

January 13, 2017

P 15-07 Page 22 of 23

AUDIT STANDARDS

Our office follows the Generally Accepted Government Auditing Standards, prescribed by the US Government Accountability Office, and other criteria as promulgated by the Institute of Internal Auditors’ “International Standards for the Professional Practice of Internal Auditing” (IIA Standards), in carrying out the planning and engagement of audit activity. The IIA Standards required we plan and perform the audit to obtain sufficient and appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. Accordingly, we included such tests of the accounting records and other procedures as we considered necessary in the circumstances.

The WSU Office of Internal Audit is not in full conformance with the IIA Standards in that a quality peer review has not yet been performed.

AUDIT TEAM INFORMATION

Lead Auditor Jaya Sivakumar Supervisor Lenka Perkins

For questions regarding this project, contact Heather Lopez, Chief Audit Executive: Email: [email protected] Phone: (509) 335-2001 Website: http://www.internalaudit.wsu.edu

mailto:[email protected]

http://www.internalaudit.wsu.edu/

APPENDIX A

APPENDIX A: Audit Risk and Opinion Methodology Ra

ting

Audit Risk Rating Criteria

Hig

h

Risk has a high impact and is highly likely to occur This is a high-priority issue - immediate management attention is required. This is a serious internal control or risk management issue that if not mitigated, may, with a high degree of certainty, lead to:

• Substantial losses, possibly in conjunction with other weaknesses in the controlframework or the organizational entity or process being audited

• Serious violation of University strategies, policies, or values• Serious reputation damage, such as negative media publicity• Significant adverse regulatory impact, such as loss of operating licenses or material fines

Mod

erat

e

Risk has a high impact and low likelihood, or low impact and high likelihood This is a medium-priority issue - timely management attention is warranted. This is an internal control or risk management issue that could lead to:

• Financial losses• Loss of controls within the organizational entity or process being audited• Reputation damage, such as negative publicity in local or regional media• Adverse regulatory impact, such as public sanctions or immaterial fines

Low

Risk has a low impact and low likelihood This is a low-priority issue - routine management attention is warranted. This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the unit or process being audited. Risks are limited.

Areas of Proficiency Positive statements where internal controls, governance or risk management processes were adequately established and functioning well for each of the audited area/systems.

Table of Opinion Methodology

Satisfactory

• Control environment is adequate• No findings noted• Management’s control environment appears sound• All high-level risks adequately controlled

Some Improvement Needed

• Control environment is adequate but some exceptions exist• Some control weaknesses and/or opportunities for improvement observed• Management’s control environment appears otherwise sound• High-level risks are adequately controlled

Major Improvement Needed

• Control environment is not adequate and significant exceptions exist• Some high-level risks are not adequately controlled• At least one finding is rated “high”• Immediate safety and soundness are not threatened, but management’s

control environment requires improvement• Significant exposure to fraud or security vulnerabilities

Documents

Office of Internal Audit Fiscal Year 2017 - Quarter 2