The National Institutes of Health Should Improve Its Stewardship and Accountability Over Hardware and Software Assets

Why OIG Did This Review

OIG identified monitoring and reporting on the integrity of HHS programs, including responsible stewardship of HHS programs and protection of resources, as a top management and performance challenge for HHS. NIH operations are responsible for the prudent management and careful stewardship of approximately $1.8 billion in accountable personal property. The Department of Defense and Labor, Health and Human Services, and Education Appropriations Act, 2019 and the Continuing Appropriations Act, 2019, P.L. No. 115-245, provided HHS OIG with $5 million from the NIH appropriation for oversight of grant programs and operations of NIH.

Our objective was to determine whether NIH had controls in place to effectively and efficiently track and monitor information technology (IT) resources and internet protocol (IP) addresses.

How OIG Did This Review

We focused on NIH's governance, processes, and controls to track and monitor IT hardware, software, and IP addresses. We reviewed the implementation of policies, procedures, practices, metrics, and the completeness of property records; interviewed NIH personnel; and observed the implementation of tracking and monitoring tools. We considered NIH's Extramural Research Program as out of scope because the program did not involve Federal facilities and labs.

What OIG Found

NIH had controls in place to effectively and efficiently track and monitor IT resources. However, NIH did not perform internal control activities in accordance with Federal directives and maintain a continual agencywide software license inventory. Specifically, Institutes and Centers (ICs) did nots and perform investigations and reviews for lost, damaged, or destroyed property; identify accountable property and sensitive items as Government property; complete corrective action for property accountability and management control deficiencies; and meet minimum Department standards for its accountable personal property management program. Additionally, NIH did not maintain a continual agencywide inventory of all software licenses.

There was inadequate oversight to hold the ICs' management accountable for the performance of internal control activities. Additionally, there was no primary software asset management tool employed across all the ICs' operating environments to centralize and automate the capture of software inventory and entitlement data. These factors contributed to the deficiencies in NIH's stewardships of its IT resources. As a result, NIH was more susceptible to ineffective accountable property and control operations, which increased the risk that NIH would be unable to report reliable asset balances, to discover cost-saving opportunities, and to effectively safeguard assets from theft and other losses.

What OIG Recommends and NIH Comments

Our recommendations to NIH relate to enhancing stewardship activities associated with the management of Government personal property and software management practices. We recommend that NIH establish an oversight body that ensures that property accountability management responsibilities and control activities for Government property are performed. Additionally, we recommend that NIH employ a primary software asset management tool that centralizes and automates the capture of software inventory and entitlement data into each of the IC's operating environments. We also made procedural and operational recommendations.

In written comments on our draft report, NIH concurred with all our findings and recommendations and described actions it has taken or plans to take to address the findings.