DAY MAY 23, 2017 3:35-4:50PM Uniform Guidance - Lessons Learned And To Be Learned MODERATOR Jerry E. Durham Assistant Director for Research and Compliance, Tennessee Comptroller of the Treasury SPEAKERS Anne Fritz Finance Director, City of Saint Petersburg, FL Nancy Wishmeyer Controller, City of Aurora, Colorado Jeff Markert Partner, KPMG LLP #GFOA2017
Agenda Lessons Learned Internal control Polices and procedures Risk assessment Role of grants management systems Subrecipient risk assessment and monitoring Reporting Common findings under UG Recent federal activity
Internal Control
Internal Control Requirements Non-Federal entities must establish and maintain effective internal control that provides reasonable assurance that entity is managing Federal award in compliance with Federal statutes, regulations, and terms and conditions of Federal award. Internal controls should be in compliance with: COSO (Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission), and Green Book (Standards for Internal Control in the Federal Government, issued by the Comptroller General of the United States) Green Book has similar structure to COSO. 4
What is Internal Control? AICPA (AU-C 315.04) Green Book (OV1.01) and COSO Internal control is a process effected by an entity s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. 5
Entity Level and Process Level Controls Control Environment Risk Assessment Information and Communication Monitoring Control Activities Entity Level Controls Higher Level Controls Process Level Controls Controls that do not specifically relate to an assertion Controls that specifically relate to an assertion 6
Internal Control Lessons Learned Focus on control activities at the compliance requirement level Avoid natural tendency to focus solely on financial reporting controls Documentation is time consuming and a continuous work in process Different methods/tools may be appropriate Questionnaires Narratives Flow charts Many organizations had very little internal control documentation prior to UG. 7
Internal Control Lessons Learned Staff often do not understand their internal control responsibilities Evaluation of internal control design and operating effectiveness need to be performed by someone Need to take reasonable measures to safeguard to PII Ensure you understand the difference between a process vs. a control Knowledgeable, committed staff are key to integrity of internal controls. 8
Distinguishing a Process from a Control Business Process Internal Control The activity performed by the process owner. Includes a series of steps to initiate, recognize and disclose business transactions in a particular period. A process activity are where an error can occur. Activities that mitigate processing risk (either directly or indirectly) in an entity s business process to an acceptable level. An activity that is performed to prevent or detect an error. 9
Policies and Procedures
Written policies required by UG Written Policy references in UG (25 times) Financial management section 200.302 Payment section 200.305 Procurement sections 200.318, 200.319, and 200.320 Compensation sections 200.430 and 200.431 Relocation costs section 200.464 Travel costs section 200.474 11
Policies and Procedures Lessons Learned Decentralized environment presents challenges for establishing consistent and appropriate policies and procedures Consider use of grants management steering committee Essential to incorporate policies and procedures into training Utilize grants administration manual Updates ordinarily must be approved by multiple stakeholders. 12
Risk Assessment
Risk Assessment Lessons Learned Understand the difference between entity-wide level and compliance requirement level Risk assessment should also be performed at the federal program/compliance requirement level Consider involving internal audit. 14
Role of Grants Management System
Grants Management System Lessons Learned Important to have grants management module that identifies federal programs and related costs on front end Separately identify pre and post UG awards Take advantage of electronic system capabilities!!! 16
Subrecipient Risk Assessment and Monitoring
Pass-Through Entity Requirements Each subaward must clearly be identified as subaward and include standard data elements, including: Requirements imposed by pass-through entity Provision for indirect costs Either negotiated or a de minimis rate of 10% Clarifies Federal expectations for pass-through entities Consolidates and clarifies subrecipient monitoring Must evaluate each subrecipient s risk of noncompliance for purposes of determining appropriate monitoring. Evaluation may include: Prior experience with similar subawards Results of previous audits Whether subrecipient has new personnel or systems Extent and results of Federal awarding agency monitoring 18
Pass-Through Entity Requirements Monitoring activities must include: Reviewing financial and programmatic reports required by passthrough entity Following up on corrective action Issuing management decisions Verifying every subrecipient is audited as required by Subpart F Consider taking enforcement action against noncompliant subrecipients Based on risk assessment, following monitoring tools may be used: Providing training to subrecipients Performing on-site reviews Arranging for agreed-upon procedures engagements 19
Subrecipient Risk Assessment and Monitoring Lessons Learned Fundamental change in mindset from a post-award to preaward focus Historically looked at as a back end process Getting information upfront is difficult Subrecipient monitoring is more than just checking a box Difficult to link risk assessment for subrecipient to monitoring activities performed Consider centralizing monitoring activities for fiscal and administrative Treat subrecipients like an extension of your organization. 20
Subrecipient Risk Assessment and Monitoring Questions to ask? How does the PTE ensure all information required to be communicated to a subrecipient has been communicated? Does the PTE s evaluation of risk include consideration of appropriate factors? What are the responsibilities of the subrecipient in relation to the program? (e.g., determine eligibility, provide services, case management) What compliance requirements are applicable at the subrecipient level? Almost always: Allowability, Cash Management, Reporting, Period of Performance, Procurement, Suspension, and Debarment. Often: Eligibility, Matching, Level of Effort, Earmarking, etc. How does the PTE ensure that costs incurred by a subrecipient are for allowable items and other applicable requirements are met? Consider using subrecipient matrix of direct and material compliance requirements to document monitoring activities by compliance requirement. 21
Reporting
Schedule of Expenditures of Federal Awards (SEFA) Face of SEFA must include all Federal awards expended including: Noncash assistance Loan programs (beginning balance of outstanding loans plus loans disbursed during period plus interest subsidy, cash, or administrative cost allowance) Loan guarantee programs Amounts passed through to subrecipients for each program Footnotes to SEFA must include: Year-end loan balances Whether or not entity used 10% de minimus cost rate Significant accounting policies 23
Reporting Lessons Learned High error rate in submissions to FAC Common errors include: Not including all required elements on SEFA Stating whether or not organization is using the 10% indirect cost rate Stating whether the financial statements were prepared in accordance with GAAP Disclosing in findings whether sample was statistically valid Disclosing in findings whether the finding was reported in the prior year Gather relevant grant information in one place. 24
Reporting Lessons Learned Reports are significantly more visible now that they are publically available Need to include separate corrective action plan Views of Responsible Officials is not sufficient CAP and SSPAF must include both GAGAS and UG findings. 25
Common Findings under UG
Common Findings under UG NFE not able to identify pre and post UG expenditures PTE did not make subrecipient aware of award information required by 200.331(a) PTE did not adequately perform risk assessment of subrecipients to determine appropriate monitoring and/or did not document PTE did not adequately document risk assessment PTE did not update monitoring procedures and tools based on UG Whether the lack of written policies under UG, by it self, results in a reportable finding appears to be a facts and circumstances evaluation based on nature of noncompliance and control deficiencies identified. 27
Common Findings under UG PTE did not adequately perform or had missing monitoring activities NFE did not have effective internal control over direct and material compliance requirements NFE did not comply with procurement requirements of UG SEFA not including all required elements under UG 28
Recent Federal Activity
OMB Activity Potential delay of COFAR Frequent Asked Questions (FAQ) Procurement Status of micro purchase threshold increase Potential extension of procurement delay for third year SEFA pilot project (Federal Auditing Clearinghouse) Goal is to eliminate separate preparation and presentation of SEFA 20 participants in recent project Expected to be incorporated into FAC in 2019 Future CFDA number format changes From XX.XXX to XXX.XXXX First three digits to align with federal agency number used by Treasury Last four digits to provide greater flexibility to agencies in assigning program numbers 2017 Compliance Supplement 30
2017 Compliance Supplement No major changes, but one clarification to two year look back rule When OMB adds a new CFDA number to a cluster listed in Part 5, the cluster does not meet the two-year look back unless the client s current year expenditures for the new CFDA number were less than or equal to twenty-five percent (0.25) of the Type A threshold. For example: Type A threshold $750,000. Cluster ABC (93.123, 93.125 and 93.127) was audited in 2015 with no audit findings. The 2017 Compliance Supplement added CFDA 93.129 to the cluster. The organization's expenditures for 2017 were: 93.123: $ 300,00093.125: $ 400,000 93.127: $ 500,000 93.129: $ 300,000 2017 major program determination: Cluster ABC was audited in 2015. However, because the organization's current year expenditures for CFDA 93.129 exceed $187,500 (0.25 of the Type A threshold), cluster ABC fails the two-year look back criteria. 31
Student Financial Aid SFA as a major program issue Same process as 2016 (send email) Gramm Leach Bliley (Cybersecurity) update To be tested starting in 2018 32
Contact Information Ann Fritz Finance Director City of Saint Petersburg, FL Anne.Fritz@stpete.org Nancy Wishmeyer Controller City of Aurora, Colorado Nwishmey@auroragov.org Jeff Markert Partner KPMG LLP jmarkert@kpmg.com 33
Thank you!!!