Other Compliance Issues
i. Cost-sharing
ii. Program Income Policy
iii. Credit Card Processing and Security Policy - Merchant Services Policies and Procedures
iv. Effort Reporting Procedures
v. Export Controls
vi. Information Assets Acceptable and Responsible Use Policy
vii. Electronic Approvals
viii. Password Security
ix. Data Classification and Handling Policies
x. E-Mail Services
xi. Intellectual Property
xii. Research Integrity/Regulatory Compliance
i. Cost-sharing Policy and Procedures
When federal statute or agency regulations require that the university share in the cost of sponsored projects, the university contribution is referred to as “cost-sharing.” The terms “cost sharing,” “matching” and “in-kind” are often used interchangeably. In general, cost-sharing represents that portion of project or program costs not borne by the sponsor (generally the federal government).
Definitions:
Mandatory Committed cost sharing is required by statue or law and is explicitly described in the notice of funding opportunity and specifically included in the proposal document.
Voluntary Committed cost sharing is contributions that are not required in the notice of funding opportunity but are specifically offered in the proposal budget, budget justification or letters of support and become a binding requirement of the award, requiring documentation.
Voluntary Uncommitted cost sharing is contributions that are not included in the proposal or identified on the notice of award. This type of cost sharing is not tracked or reported to sponsor agencies. If this type of cost sharing is used to meet a sponsor requirement, such as a PI effort obligation, documentation requirements apply.
Cash contributions represent the recipient's cash outlay, including the money contributed to the recipient by non-federal third parties.
In-kind contributions represent the value of all non-cash contributions, including services and property, provided by the recipient and/or non-federal third parties.
Policy: It is the policy of the research foundation and the university to offer cost-sharing in a proposal only when it is a requirement of the request for proposal or the program announcement. Federal regulations (2 CFR 20.306) state that federal agencies must explicitly describe the criteria for cost sharing requirements that will be used as a factor in determining receipt of an award in the notice of funding opportunity. Non-federal sponsors typically indicate in program guidelines whether or not cost-sharing is mandatory for a specific proposal submission. Cost-sharing is included in proposals only when required so that limited university resources, both monetary and time commitments, can be used most effectively. If offered in a proposal, all matching contributions, both cash and in-kind, must adhere to the following criteria as required by OMB Uniform Guidance, Subpart D (2 CFR 200.306):
- Are verifiable from the recipient's records;
- Are not included as contributions for any other federal award;
- Are necessary and reasonable for accomplishment of the project or program objectives;
- Are allowable under the applicable cost principles (Uniform Guidance: 2 CFR 200, Subpart E or other sponsor regulations if the sponsor is non-federal);
- Are not paid by the federal government under another award, except where the federal statute authorizing a program specifically authorizes the use of those funds for cost sharing under other federal programs;
- Are provided for in the approved budget when required by the sponsoring agency;
- Conform to other provisions of Uniform Guidance, 2CFR 200.306 Subpart D, as applicable.
The SR development department ensures that the proposal budget reflects only the proper level of cost-sharing required. Since documenting cost-sharing is a time consuming process for PIs and research foundation staff, efforts are made to not offer cost-sharing when it is not required or difficult to document.
The SR administration department works with the PI to ensure all cost-sharing is adequately documented and source documents are provided. Whether it is mandated or voluntary, budgeted cost-sharing must be documented in the post-award phase of a project by the PI. The SR administration department summarizes the actual cost-sharing received, ensures documented cost-sharing is reported to sponsor agencies as required, and maintains the cost-sharing summary and the source documentation in the award file. PIs should contact their SRD development specialist with questions regarding including cost-sharing in a proposal. The grants specialist is available to respond to questions regarding documenting cost-sharing on awards.
ii. Program Income Policy
Federal regulations define program income as gross income earned by a grantee or its subcontractors that is directly generated by a grant-supported activity or earned as a result of the grant. (OMB Uniform Guidance, 2 CFR 200.80)
Program income includes, but is not limited to, income from fees for services performed, the use or rental of real or personal property acquired under the grant, the sale of commodities or items fabricated under the grant, -, and interest on loans made with grant funds. Program income does not include interest earned on advances of federal funds or the receipt of principal on loans, rebates, credits, discounts, etc., or interest earned on any of them, except if specified in the terms and conditions of the federal award.
All program income earned during the project period shall be retained by the SDSU Research Foundation in accordance with federal awarding agency regulations and the terms and conditions of the award and shall typically be used in one of the following ways:
- Additional Funds: program income funds will be added to the amount awarded by the federal awarding agency and must be used in accordance with award terms and conditions for the purposes of the award.
- Cost Sharing or Matching: with prior approval of the sponsor agency, program income may be used to meet the cost-sharing requirement of the federal award.
PIs are responsible for notifying SR Administration of any revenue that is associated with or generated by a sponsored program, regardless of whether the sponsor is federal or non-federal. If it is determined that the revenue is program income, the SR grant specialist will work with the PI to establish a 9-ledger fund in the research foundation’s accounting system. Facilities and Administrative Costs (F&A) and Fringe Benefit rates will be applied to program income 9-ledger funds at the same rate as the sponsored project associated with the fund or at a minimum of 6%, whichever is greater.
PIs are responsible for ensuring all funds received for program income are deposited into a program income fund and expended in accordance with research foundation policies and procedures and sponsor agency terms and conditions. PIs should also monitor the monthly budget reports produced for program income funds in a manner consistent with that used to monitor their other project funds.
During the life of the award, the SRA grant specialist will approve expenditures against the program income fund in accordance with the research foundation’s policies and procedures and sponsor agency terms and conditions (see Section II.G Expenditure Processing). The grant specialist, in conjunction with finance & accounting, will ensure that program income costs are included on sponsor required financial reports and are accurately reported to the federal government.
As funds are received, the SR administrator will deposit the checks/cash into the 9-ledger fund established to receive the income.
SR administrators will monitor and reconcile program income funds in a manner consistent with the method used to administer grant funds.
iii. Credit Card Processing and Security Policy - Merchant Services Policies and Procedures
Some SDSURF projects accept donations or payments for goods or services such as application and registration fees and have been set-up with credit card merchant accounts. Projects accept payments through point of sale (POS) terminals or have agreements with third-party processors to provide payment gateway services that allow customers to make purchases on-line via the Internet.
The ability to accept credit card payments comes with risk and the responsibility to protect sensitive cardholder data.
SDSURF projects that participate in card processing activities (merchants) are required to follow strict procedures to protect customers’ credit card data. The credit card companies (including Visa, MasterCard, Discover, and American Express) have developed standards that all credit card merchants must follow called Payment Card Industry Data Security Standards (PCI DSS). In addition, all projects utilizing merchant accounts must adhere to the ICSUAM Credit Card Payment Policy, San Diego State University Information Security Plan and SDSURF’s Merchant Services Policies and Procedures at Credit Card Processing Security Policy). (PDF Format 49KB)*
Failure of merchants to comply with these standards and guidelines and otherwise adequately protect sensitive cardholder information will result in the suspension of merchant privileges. In addition, fines may be imposed by the affected credit card company, ranging from $5,000-$50,000 per violation, per month out of compliance, per credit card company.
For complete detail on program requirements and procedures go to Credit Card Processing Security Policy. (PDF Format 279KB)*
iv. Effort Reporting Procedures
Educational institutions conducting research, instruction, and/or other sponsored work under grants, contracts, and other agreements with the federal government are required to comply with the costing principles described in OMB Circular 2 CFR PART 220 for awards issued prior to December 26, 2014. Section J.10 of Circular 2 CFR PART 220 describes the principles, criteria, and examples of how employee compensation for personal services rendered under sponsored agreements should be charged and subsequently documented. The Office of Management and Budget (OMB) combined eight federal circulars into a single guidance document (known as Uniform Guidance, or 2 CFR 200) to be used by all agencies. These regulations became effective December 26, 2014 for awards issued or amended to incorporate these regulations on or after that date.
The salary and wage costs of employees with a university (SDSU) appointment are compensated to the employee by SDSU, SDSU Research Foundation or a combination of both organizations. The effort reporting system described herein was established to meet the requirements of Section II. J.10 referenced above and reviewed to ensure it meets the requirements outlined in the OMB Uniform Guidance, 2 CFR 200.430.
The effort report contains comprehensive time and effort information, including percent of SDSU assignment allocated to instructional activities, reimbursed time, direct pay, and cost-sharing or release time for faculty and staff who work on federally and non-federally sponsored programs. To maintain consistency, effort reports are prepared, distributed, and certified for all employees with a SDSU appointment who work on sponsored agreements. The research foundation attempts to complete this process within 120 days of the end date of the effort reporting period. Effort reports are typically created 60 days after the end date of the term period. The reports are distributed electronically via PI Profile to the employee for review and certification. Follow-up notices are sent and if necessary, phone calls and office visits are made to ensure the effort reports are certified in a timely manner.
The sponsored research services division is responsible for the preparation, dissemination, and collection of all effort reports. Information is gathered during the year on all SDSU faculty and instructional staff. The information is gathered from workload forms, downloads from the research foundation's financial system, and cost-sharing information provided by SRA grant specialists.
The recipient of an effort report is required to certify that the distribution of effort recorded in the payroll systems and reported on the effort report is a reasonable estimate of the actual work performed during the period covered by the report. If not, the individual must indicate the correct distribution of effort so that the payroll allocations can be corrected. Notifications of updated effort reports that require certification are sent monthly.
See Cost-sharing Policy (PDF Format 99KB)* for more information about effort reporting.
v. Export Controls
Current export law controls certain hardware, data materials, chemicals information, individuals and other items pertaining to a wide range of designated “Defense Articles” and “dual use” items in a way that may have a substantial impact on research at U.S. universities. Every award is subject to export control regulations whether or not there is an explicit clause within the award document. Also, individuals carry responsibilities with regard to the export of certain materials on the Commerce Control List (US Department of Commerce) or U.S. Munitions List (US Department of State) and Office of Foreign Asset Control (OFAC-US Department of Treasury). The majority of activities SDSURF is involved in meets the exclusion test as fundamental research and does not involve sanctioned countries or individuals. There may be exceptions. These must be reviewed to ensure that SDSURF is in compliance with export control regulations. Questions regarding the applicability of export controls on a specific program should be directed to the SDSU Export Control Officer. (See: http://newscenter.sdsu.edu/researchaffairs/exportcontrols.aspx)
vi. Information Assets Acceptable and Responsible Use Policy
vii. Electronic Approvals
SDSU Research Foundation utilizes information systems that support electronic transactions, including electronic approvals (e-authorization). Unique accounts (user ID and password) are created for individual PIs and employees and are for the use of the assigned individual only and must NOT be shared. Use of on-line user IDs and passwords in SDSU Research Foundation systems is the equivalent of a wet ink signature on paper. Individuals shall be liable for all activities on their assigned accounts.
viii. Password security
User accounts (unique user ID, password and job specific system permissions) are assigned directly to users with a need to access various SDSU Research Foundation systems. Passwords are assigned to individual users for exclusive use only and should not be shared with, or delegated to, others. Use of on-line user ID and passwords in research foundation systems is the equivalent of a wet ink signature on paper and individuals are responsible for maintaining the confidentiality of assigned credentials. Managers should ensure that users are not asked to reveal their personal passwords, except under limited circumstances. Coordinate with your SDSU Research Foundation HR Business Partner if you believe there is a need to require an employee to reveal a password. Password construction guidelines and secure methods of delegating authority (back-up coverage, extended absence coverage, shared workloads, etc.) are described in the SDSU Research Foundation Password Policy.
Secure Account Usage / Password Protection Standards
Passwords are the front line of protection for user accounts. A poorly chosen password may result in compromising the research foundation’s entire organizational network. As such, all research foundation personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any SDSURF facility, has access to the SDSURF network, or stores any non-public information (including contractors and vendors with access to SDSURF systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
- Do not share passwords. All users are responsible for keeping their passwords confidential. Accounts created for an individual are for the use of that individual only. Users are responsible for any use of their assigned account(s).
- Use different passwords for different systems and do not use the same password(s) for both business and personal applications.
- Never use the “remember me on this computer” feature of any applications.
- Do not embed passwords into programs.
- Change passwords often, at least once every six months (or semester).
- Change password immediately if it is suspected to have been compromised and report the incident to your supervisor or computing services personnel immediately.
- Do not re-use passwords.
- Passwords must never be stored in a file on ANY computer system (including mobile phones, laptops, PDAs, etc.) without encryption. Passwords should not be written down. However, if it is necessary, the password should not be written or stored with the user ID or application name and must be secured in a locked drawer.
ix. Data Classification and Handling Policies
Information Classification Standard
SDSU Research Foundation has adopted the draft CSU Data Classification and SDSU Information Classification standards as a minimum information classification standard. Full information on the Information Classification Standard is available in the San Diego State University Information Security Plan, Section 3.0. It is available on the SDSU IT Security Office (ITSO) website at http://security.sdsu.edu/policy/. These standards outline three levels of classification and standards to which information must be secured:
1. Protected Level 1 – mandated by law or regulation
2. Protected Level 2 – proprietary, ethical or privacy considerations
3. Protected Level 3 – public information.
Along with these standards, the following guidelines and policies have been established by SDSU Research Foundation to assist in reducing exposure to information and data loss.
- Information security is essential whether information is conveyed electronically, over the phone or in written documents, whether it is acquired, transmitted, processed, transferred and/or maintained by SDSURF.
- All SDSU Research Foundation staff, PIs, project directors and entities working on behalf of SDSURF are subject to these guidelines and policies, and adhering to SDSU Information Security policies and procedures, including periodic Security Awareness Orientation training.
- Non-research foundation (personal) information (both electronic and non-electronic), such as personal credit reports, personal bank statements, or even contact information from a synchronized cell phone or PDA should not be stored on SDSURF systems as SDSURF does not assume responsibility for securing this information and many systems may not be secured for this information by default. Personal information does not just pertain to first party personal information (yours), but also to any third party personal information (someone else’s).
x. E-Mail Services
All SDSU Research Foundation active employees are eligible for a campus hosted e-mail account. Others with special relationships with SDSURF, such as volunteers, may be issued accounts upon approval. The @mail, @foundation, and @kpbs.org mail accounts are all issued and maintained by SDSU and hosted by Google Apps Gmail. Accounts are managed by SDSU Enterprise Technology Services (ETS). Legal first and last name, date of birth and RedID are required to request a campus hosted e-mail account. http://ets.sdsu.edu/helpdesk/email.htm.
It is each account user’s responsibility to manage e-mail messages classified as official communications in accordance with CSU, SDSU and SDSU Research Foundation records management policies. E-mail is not a good archival system for important documents. Employees should work with their supervisors and IT Help Desk to determine the best method for preserving and managing e-mail messages that contain information that should be classified as an official record.
Mailbox permissions are disabled and purged upon request or when the person no longer meets eligibility requirements, typically a grace period beyond the employee’s termination date. It is the responsibility of the PI and/or employee’s manager to preserve any e-mail communications classified as official business records when an employee separates employment with the research foundation.
xi. Intellectual Property
The Technology Transfer Office (TTO) manages all aspects of intellectual property (IP) with the goal of bringing qualifying properties to the open market. It helps to identify discoveries and creative works that need protection and have commercial potential. In addition, the TTO provides appropriate documents for the protection of IP, such as confidential disclosure documents. Managing the commercialization of these inventions, authored works, and other projects is also part of the TTO service. Other services include patent, copyright, and trademark filing, technology assessment, as well as marketing and marketing research. For additional information access: http://tto.sdsu.edu/.
xii. Research Integrity/Regulatory Compliance
SDSU is committed to achieving the highest standards in its conduct of research. Through the University Research Council, standing committees implement federal, state and institutional policies associated with research compliance as well as research development and promotion. Sponsored Research Contracting and Compliance (SRCC) in collaboration with the SDSU Division of Research Affairs has oversight of regulatory assurances between the federal government and the university. These assurances are agreements that detail the responsibilities of those involved in the conduct of research to ensure the research is carried out in a manner consistent with accepted standards of ethical research practices. Programs that support research integrity and compliance include:
- Animal Care and Use Program
https://newscenter.sdsu.edu/researchaffairs/animalcare.aspx
SDSU is committed to ensuring the humane care and use of all animals associated with its research and teaching programs. Stringent federal laws and policies, such as the federal Animal Welfare Act, regulate the use of animals in research. The SDSU Animal Care and Use Program meets or exceeds all requirements through oversight by the Office of Laboratory Animal Care and the Institutional Animal Care and Use Committee. The Animal Care and Use Program has two components:
- Office of Laboratory Animal Care (OLAC)
The SDSU Office of Laboratory Animal Care (OLAC) is housed within/overseen by the College of Sciences. The primary objective of the OLAC is to ensure that each animal at the university receives the highest quality of care tailored to its individual needs. The OLAC includes on its staff a veterinarian board certified in Laboratory Animal Medicine, a Vivarium manager, and laboratory animal technicians and caretakers.
The OLAC staff observes animals daily to ensure their health and welfare. The veterinarian serves as a member and consultant to the Institutional Animal Care and Use Committee on matters relating to animal health and veterinary care. The campus veterinarian participates in reviewing animal studies, performing facility inspections, and assisting in training faculty and students who will be working with animals.
Animal Care Technicians provide daily care for laboratory animals. The first qualification for obtaining a position in OLAC is having compassion for animals. Many of the technical staff are graduates of animal health technology programs of universities or technical schools. On-the-job training, informal lectures, and formal course work provide personnel with knowledge of the laws governing animal research and methods of proper care and handling of a wide variety of animal species. OLAC encourages employees to take certification examinations that are offered through the American Association for Laboratory Animal Science.
The Office of Laboratory Animal Care, in conjunction with the Institutional Animal Care and Use Committee, monitors and ensures compliance with federal and state laws, regulations, and guidelines governing the care, use, and housing of animal subjects used in research, testing, and teaching. OLAC provides services and resources needed by investigators to accomplish their animal research objectives and assists in providing training in laboratory animal care and use to technical personnel, students, and faculty. - Institutional Animal Care and Use Committee (IACUC)
The SDSU Institutional Animal Care and Use Committee (IACUC) is a committee of the University Research Council and is administered through the Division of Research Affairs. The vice president for research is the "institutional official" responsible for research and teaching involving animal subjects.
Through the IACUC, which includes veterinarians, scientists, and private citizens as members, SDSU ensures that all research, testing or educational instruction involving animals is conducted in a humane manner using the fewest number of animals possible to obtain valid results. Charged with this responsibility, the IACUC:
- Reviews all proposed uses of live vertebrate animals in research, teaching and testing, including regular reviews of all ongoing projects.
- Inspects all the animal facilities at least once every six months. Any deficiencies noted are classified as "significant" or "minor." The Institute of Laboratory Animal Resources (ILAR) Guide for the Care and Use of Laboratory Animals (the Guide) is used as a basis for the evaluation. Expected completion dates for deficiencies to be corrected will be specified. If required, any corrections required by the USDA will be reported to the USDA.
- Reviews the animal care and use program at least once every six months.
- Submits semi-annual reports of facility inspections and program reviews to the Institutional Official (Vice President for Research).
- Submits an annual report to the Public Health Service, National Institutes of Health (NIH), and Office of Laboratory Animal Welfare (OLAW) detailing changes in the animal care and use program, changes in IACUC membership, and the results of the semi-annual facility inspections and program reviews.
- Submits annual reports to the USDA.
- Investigates all concerns involving the care and use of animals at SDSU.
- Makes recommendations to the Institutional Official regarding the animal care and use program, animal facilities, and the care and use training programs available to personnel.
- May suspend a previously approved animal related activity if the committee determines that the activity is not being conducted in compliance with the Animal Welfare Act, PHS policy, or the Institutional IACUC policies.
- Cooperates with other administrative units at SDSU to ensure compliance with other university policies and other regulations involving animals as the need arises. This includes Graduate and Research Affairs, Division of Research Affairs (e.g., which oversees completion of Materials Transfer Agreements and Student Thesis Committee Appointment Forms), SDSU Research Foundation (e.g., contract and grant proposal routing forms), and Environmental Health & Safety (e.g., authorizations for use of radioactive materials and controlled substances).
- Office of Laboratory Animal Care (OLAC)
- Biosafety
https://newscenter.sdsu.edu/researchaffairs/ibc.aspx
SDSU is responsible for ensuring that recombinant DNA research or experiments involving biological materials or potentially hazardous materials are conducted in compliance with the NIH Guidelines for Research Involving Recombinant DNA Molecules (NIH Guidelines) and the CDC Biosafety in Microbiological and Biomedical Laboratories guidelines to promote safe and responsible practices. On behalf of SDSU, the Institutional Biosafety Committee (IBC) reviews research for this purpose. The IBC is a committee of the university research council appointed by the Vice President for Research.
The Division of Research Affairs provides administrative support to the IBC. The IBC membership is determined based on federal guidance and includes a biosafety officer, an animal expert, scientists, and private citizens. Principal investigators using biohazardous materials or conducting experiments involving recombinant DNA in their laboratories must obtain approval from the IBC. To initiate this process, the investigator must complete a Biological Use Authorization (BUA) Form. The BUA may be reviewed and approved by the institutional biosafety officer (IBO) for BL-1 experiments. The IBO and the IBC will review research involving BL-2 or BL-3 experiments. - Conflict of Interest
https://newscenter.sdsu.edu/researchaffairs/coi.aspx
The conflict of interest committee evaluates research when an investigator discloses a significant financial interest that may influence the conduct of the activity. The committee determines what, if any, conditions or restrictions should be imposed on the investigator or research protocol in order to manage, reduce or eliminate such conflicts of interest.
The conflict of interest policies of the university serve as a guide to faculty and other employees with principal responsibility for research projects conducted at San Diego State University and establish procedures to be followed to comply with state and federal requirements for review and oversight of research. - Human Research Protection Program
https://newscenter.sdsu.edu/researchaffairs/hrpp.aspx
SDSU assumes responsibility for the protection of the rights and welfare of human subjects in accordance with federal regulations and SDSU's Federal Wide Assurance issued by the U.S. Department of Health and Human Services. The Institutional Review Board (IRB), a standing committee of the University Research Council, reviews research involving human subjects to ensure that all projects conform to the federal and institutional regulations and policies. This site is designed to provide access to information for the faculty, students, and employees of SDSU who plan to conduct research that involves human subjects. - Responsible Conduct of Research
https://newscenter.sdsu.edu/researchaffairs/rcr.aspx
SDSU is committed to maintaining the highest standards in the conduct of research and scholarship. SDSU’s policy on Integrity in Research and Scholarship is approved by the academic senate as well as the Department of Health and Human Services' Office of Research Integrity (ORI).
Information and educational materials to facilitate the responsible conduct of research are available through the following web sites. - Research Integrity/Misconduct Policy
https://newscenter.sdsu.edu/researchaffairs/draintegcomp.aspx - Human Research Protection Program - Education and Training in Research Ethics
https://newscenter.sdsu.edu/researchaffairs/hrpp.aspx - Project TRES
http://go.sdsu.edu/researchaffairs/ethicstraining.aspx - Education and Training in the Care and Use of Laboratory Animals
https://newscenter.sdsu.edu/researchaffairs/acuptraining.aspx - Office of Research Integrity (ORI)
http://ori.hhs.gov/
*Note: Documents in Portable Document format (PDF) require Adobe Acrobat Reader 9.0 or higher to view. Download Adobe Acrobat Reader