NIH Should Improve Its Management of Contracts for the Acquisition of Information Technology

Why OIG Did This Audit

HHS relies extensively on contractors to fulfill its mission, and OIG has identified ensuring the financial integrity of HHS programs, including HHS's oversight of contracts, as a top management challenge for HHS. This audit is part of a portfolio of HHS OIG audits examining various aspects of HHS contracting operations. Our focus was on the National Institutes of Health's (NIH's) contract administration of large dollar information technology (IT) contracts with multiple task or delivery orders. NIH relies on contractors to support NIH and its research community and to facilitate the purchase and maintenance of IT products.

Our objective was to determine whether NIH administered contracts for the acquisition of IT in accordance with applicable Federal acquisition regulations and HHS acquisition regulations and policies.

How OIG Did This Audit

We reviewed four NIH orders totaling $21.7 million paid to a contractor during fiscal years 2019 and 2020 for IT services. We examined acquisition planning documents, award documents, contract files and records, invoices, and supporting documentation; reviewed NIH policies and procedures related to acquisitions, procurement, and supply management; and conducted virtual interviews with NIH on its governance, contracting processes, practices, controls, and management support activities.

What OIG Found

NIH contracting officers generally administered the call and task orders we reviewed for the acquisition of IT in accordance with Federal regulations and policies. However, we identified areas within NIH's management of these orders that were not always conducted consistent with applicable Federal acquisition regulations and HHS acquisition regulations and policies. Specifically, the contracting officers or contracting officer's representatives (CORs) did not: (1) include all requirements for information security and privacy in appropriate acquisition documents and properly complete information security certification checklists; (2) review invoices and recommend invoice payments for 3 of 24 invoices for 1 order; and (3) complete contractor performance assessments timely. Additionally, NIH did not fully comply with the HHS Competition Advocacy Directive for fiscal years 2019, 2020, and 2021.

These conditions occurred because NIH did not: (1) adhere to existing NIH acquisition and procurement procedures, (2) have CORs and contracting officers that coordinated and managed their workloads and responsibilities effectively, and (3) work with HHS to meet its obligation to comply with the HHS Competition Advocacy Directive.

What OIG Recommends and NIH Comments

We recommend that NIH provide additional training and implement oversight controls to improve compliance with Federal acquisition requirements related to information technology procurements, contractor performance assessments, and competition advocacy reporting. The full recommendations are in the report.

In written comments on our draft report, NIH concurred with all of our recommendations and described actions it plans to take to address the findings. NIH stated that it will create training and awareness initiatives for staff and acquisition personnel regarding requirements for IT security and privacy in acquisitions of information technology, contractor performance assessments, and competition advocacy reporting.