Federal Grant Internal Controls- Are you Audit Ready? Gettie Moreno - District Controller Amy Guerra - Assistant Controller-Grants Accounting Cecilia Martinez - Associate Director, Grants & Contracts Compliance
Non-Federal Entities Responsibility The non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Internal control should be in compliance with guidance provided in: - Standards for Internal Control in the Federal Government (Green Book) issued by the Comptroller General of the United States -The Internal Control Integrated Framework issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission
Control Environment Sets the tone of the organization Influences the control consciousness of its people Foundational provides discipline and structure Operates across multiple compliance requirements
Managing in the Control Environment Grant policies and procedures should apply entity-wide to ensure consistency and adherence to strategic planning goals Each area of the grant process (programmatic & fiscal) should be managed by competent staff who are knowledgeable in their areas of responsibility Grant Mangers/PI s should be given appropriate authority and understand responsibility for their assigned tasks Large entities should create cross-functional teams to support entity-wide grants management Small entities face unique challenges such as segregation of duties
Compliance Components Risk Assessment entity s identification and analysis of relevant risks to achievement of it s objectives, forming a basis for determining how the risks are managed Control Activities control activities are the policies and procedures that aid in making sure that management directives are carried out Information and Communication the identification, capture and exchange of information in a form and timeframe that enables people to carry out their responsibilities Monitoring a process that assesses the quality of internal control measures over time
Key Tasks In Risk Assessment Perform a risk assessment of the entity s grants management processes and utilize tools to document process such as a Control Questionnaire Consider the level of program risk (e.g., high, medium, low) when establishing control activities Consider performing a cost benefit analysis prior to implementing a new control activity Consider whether control activities will mitigate the possibility and or likelihood of fraud Continuously assess changes in the regulatory, technology, and operating environment
Key Tasks In Control Activities Document both government-wide and individual grant policies Develop a timeline and process for updating policies and procedures Become knowledgeable and adhere to federal, state and local laws and regulations Establish control activities to validate information from third parties Develop comprehensive IT policies and procedures and keep them current Become knowledgeable and implement federal and state standards for financial management systems and procurement and use them to support grant legal and regulatory requirements Continue to update the government s list of debarred vendors
Key Tasks in Info & Communication Document the attributes for each of the entity s grants in a format that is accessible to stakeholders and includes: o type of grant, time frames, reporting requirements Identify grants that require specialized administration Ensure that grant requirements are documented in vendor communication Develop ongoing communication with grantors and sub-recipients Develop ongoing communication with external and internal auditors and stakeholders Develop processes to ensure that quality information is utilized in grant decision making
Key Tasks in Monitoring Develop a process of on-going programmatic control activities that ensure compliance with laws and regulations Provide an annual periodic review of the risk assessment process Ensure that program deficiencies are communicated to all responsible parties, including management and elected officials Ensure that corrective action plans are implemented, addressing any control deficiencies and responding to the deficiencies in a timely manner.
Compliance Requirements A through N A. Activities Allowed or Unallowed B. Allowable Costs/Cost Principles C. Cash Management D. Reserved E. Eligibility F. Equipment & Real Property Management G. Matching, Level of Effort, Earmarking H. Period of Availability (POA) I. Procurement, Suspension and Debarment J. Program Income K. Reserved L. Reporting M. Sub-Recipient Monitoring N. Special Tests & Provision
A - Activities Allowed or Un-allowed Risk: Federal Awards are expended on un-allowed activitiesresulting in a liability. Suggested List of Control(s) Process to identify allowable/un-allowable cost Training Plan Evidence of Compliance Written list of allowable and un-allowable expenses with applicable cost principles for each award B - Allowable Costs/Cost Principles Risk: Cost of goods & services are not allowable under applicable cost principles Suggested List of Control(s) Training of staff to on definitions of Necessary, Reasonable, and Allocable as related to costs. Evidence of Compliance Training Dates and Logs of Key Personnel in attendance Grants Accounting & Procedural Manual Budget and use of approved account code chart Segregation of Duties Chart Signature Authority Indirect Cost Allocation Plan
C - Cash Management Risk: Advance Payments not for immediate need. Reimbursement requested prior to disbursement of program costs. Suggested List of Control(s) Evidence of Compliance Process for Advance Payment Method Process Cost Reimbursement Method Written advance payment method procedures Written reimbursement payment method procedures
E - Eligibility Risk: Ineligible individuals or organizations receive assistance under a Grant Award. Suggested List of Control(s) Evidence of Compliance Grantor approved participant eligibility requirements Process to collect, archive and secure PII from participants Training on ethics, Conflict of Interest and Code of Conduct Process to monitor participant support costs to ensure proper documentation Segregation of duties between key phases in intake, eligibility and approval of enrollment Quality Assurance Plan for case records and substantive documentation Written program guidelines aligned with RFP, Proposal and Grantor Guidelines Security Plan to include breaches, mitigation, violations, and overall data security Training Plan and logs with names, dates, etc Quality Review Plan and dates of reviews Standard Operating Procedure addressing key areas of grant operations Quality Review Plan and evidence of reviews
F - Equipment Risk: Inventory not reconciled. Property records not maintained properly. Equipment not used in support of program or project. Lack of maintenance and procedures to safeguard assets. Suggested List of Control(s) Written justification supporting use of equipment in program or project Physical Inventory Reconciliation Process and Procedures Written procedures on Safeguarding & Maintenance of equipment. Process to maintain and archive Property records Written procedure on the Disposal of grant sponsored equipment aligned with grantor guidelines. Evidence of Compliance Documentation on placement and usage on file. Documentation of inventory conducted to include policy and procedures Written procedures on file and or maintenance agreements. List of inventory items purchased for program aligned with official Property records. Records of disposal history and approval by grantor on file.
H - Period of Availability (POA) Risk: Federal funds are used outside of authorized period of availability Suggested List of Control(s) Process to prevent obligation and expenditure of funds outside POA by initiators & approvers Plan to communicate cut-off requirements to key staff Process to prevent the circumvention of accounting system internal controls Process to assure sub-awardees meet required areas of internal control Records that support compliance with POA requirements Evidence of Compliance Written Standard Operating Procedures, signatory authority chart, Organization Chart Written plan and documentation of official and recurring releases and Training Plan Written Standard Operating Procedures Training plan, specific contract language, plan and evidence of monitoring Quality Review Plan to self monitor and monitor sub-recipients.
I Procurement, Suspension & Debarment Risk: Procurement of goods & services are not compliant with 2 CFR 200.317-326. Contracting with or making sub-awards to parties that are suspended or debarred. Suggested Lists of Control(s) Grantor procurement requirements aligned with sponsor Written policies/procedures which reflect federal and state regulations, such as UGMS Training of Key Staff in procurement cycle Ensure key provisions in contract templates such as Conflict of Interest, SWMBE, EPLS, etc Written procedures on proper use and handling of P-Cards. Evidence of Compliance Written procedures are aligned with 2 CFR 200 and clearly define procurement types. Procurement section in Operations manual Documentation of dates and attendees Sample Contract Templates on file. P-Card Procedures in Operations Manual
L - Reporting Risk: Reporting not supported by accounting or performance records. Suggested List of Control(s) Segregation of duties of who prepares the reports, records the data, reviews and approves submission of the report. Training plan for personnel to ensure accuracy, consistency and adherence to compliance requirements. Procedures for the collection, quality reviews, archiving and disposition of grant report documents. Definitions and taxonomy of terms to be used in reporting Reports containing both financial and programmatic data; designation of official responsible for report submission Evidence of Compliance Reporting Plan and evidence of updates Training Plan in Standard Operating Procedures (SOP) and evidence of training conducted. Reporting SOPs SOP Addressed in SOP along with dates of submission
M - Sub-Recipient Monitoring Risk: Federal award information and compliance requirements are not identified to subrecipients. Sub-recipient activities are not monitored and audit findings are not resolved. Suggested List of Control(s) - Sub-awards Only Evidence of Compliance Evidence that all flow-down of grantee requirements and assurances have been communicated to sub-awardee. Quality review plan for sub-awardee reporting, performance and financial expenditures. Documentation of review plan Sanctions for non-compliance by sub-awardee. Contract Instrument with all major requirements on file Written Quality Review Plan Monitoring reports and evidence they are on file with prime awardee. Contract instrument with sanctions annotated.
M - Sub-recipient Monitoring Cont d Suggested List of Control(s) - Subcontractors Only Evidence of Compliance with procurement and debarment Evidence of an approved scope of work in the procurement and contract documents Quality review plan for performance, deliverables, support documents, reporting and grant related expenditures Sanctions for non-performance Evidence of Compliance Support documentation on file for method of procurement and review of SAM.gov Scope of work in the contract or an appendix Quality Review Plan and evidence of monitoring in grant files and available for review by auditors Contract with sanctions annotated
Other Compliance Requirements D G J K - N Suggested List of Control(s) D. Davis Bacon Act provide reasonable assurance that contractors and subcontractors were properly notified of the DBA requirements and the required certified payrolls were submitted to the non-federal entity G. Matching, Level of Effort and Earmarking provide reasonable assurance that matching, level of effort or earmarking requirements are met using only allowable funds or costs which are properly calculated and valued J. Program Income provide reasonable assurance that program income is correctly earned, recorded and used in accordance with the program requirements K. Real Property Management provide reasonable assurance of compliance with the real property acquisition, appraisal, negotiation and relocation requirements. N. Special Testing -
Steps To Take When Correcting Findings Most instances of noncompliance are the result of a weakness in Internal Control System o Understand the cause of the finding o Determine if the root cause is isolated or prevalent o Assess necessary changes in Internal Controls System o Determine training needs o Implement changes in Internal Control System o Establish monitoring activities to determine if revised controls are functioning efficiently and effectively o Adjust as needed o Report status of prior audit findings through Summary Schedule of Prior Audit Findings
Resources and Citations Uniform Guidance e-cfr Accessible via ecfr.gov Council on Financial Assistance Reform (COFAR) webpage Accessible via cfo.gov Office of Management and Budget Policy Statements Accessible via whitehouse.gov This includes text comparisons for cost principles and audit requirements Federal Compliance Supplement Accessible via whitehouse.gov