Subrecipient monitoring is one of the more challenging areas to achieve single audit compliance. The time and effort, collaboration, communication, and commitment from both a pass-through entity and a subrecipient all contribute to one of the least understood compliance requirements that unfortunately often leads to significant findings with questioned costs.
Subrecipient monitoring will and should look different for each agency and grant program. There is no one size fits all policy. However, the following will describe best practices to allow each pass-through entity to implement an effective and appropriate subrecipient monitoring program.
Single audit requirements can be complex.
Breaking Down Subrecipient Monitoring
Subrecipient monitoring can seem onerous and overwhelming. However, compliance can be broken into three primary components: pre-award, during the award, and post-award. Segregating the requirements into these buckets makes compliance more manageable and helps to identify the applicable processes.
Risk Assessment in Single Audit
Risk assessment is the tool to help reduce noncompliance to an acceptable level and is required in Uniform Guidance. It guides the pass-through entity in determining the appropriate level of oversight needed over the subrecipient. Unfortunately, many risk assessments are ineffective, inefficient, or just plain miss the mark. Organizations often are just checking a box noting risk to be low, medium, or high, with very little consequence or impact to that checkmark.
An appropriate risk assessment policy takes an objective look at subrecipient performance and based on that assessment determines the level of training and general oversight needed. For example, if your subrecipient submits 1,000 invoices every month for reimbursement; your procedures should be different if the subrecipient has historically been excellent with no reimbursement request problems versus if the subrecipient submits untimely, inaccurate or incomplete reimbursement requests. An effective risk assessment policy is key to determining the level of monitoring subrecipients that is needed.
Pre-award requirements are essentially all the required data elements in the subaward. There is a laundry list of required elements noted in 2 CFR 200.331(a). The required provisions of these agreements should be standardized and ensure every data element is included. However, an important item of customization is the inclusion of special terms and conditions that the pass-through entity would like to impose on the subrecipient. This ties directly back with risk assessment. If the subrecipient is higher risk, the pass-through entity should consider imposing special terms and conditions to help ensure subrecipient compliance. An example of such term and condition would be a required minimum amount of grant training hours.
Not mentioned in required elements under 2 CFR 200.331(a) but included under 2 CFR 200.313 is the requirement for checking suspension and debarment. Remember, subrecipients such as other local governments and non-profits can be suspended or debarred from receiving federal awards (not just contractors). The suspension and debarment check should be performed prior to awarding any federal funds to a subrecipient.
During the Award
The monitoring performed while the subaward is active is probably the most challenging. A pass-through entity is responsible for monitoring the subrecipient to ensure reasonable assurance over compliance. In many cases, this simply stops at a review of invoices submitted for reimbursement. However, what about cases where volume is very high, whether in the number of subrecipients or the number of invoices submitted? In these cases, 100% review of the reimbursement claim is inefficient and often ineffective. Risk assessment is the answer to this puzzle.
Reviewing reimbursement requests or financial reports, programmatic reports, desk reviews, onsite reviews, and arranging for agreed-upon procedure engagements performed by independent auditors are all available tools. These all imply a different level of oversight and commitment. If your organization has appropriate risk assessment policies, there will be effective consequences to that low, medium, or high risk rating. Pass-through entities should focus most of their resources on the higher risk subrecipients, while still paying some attention to lower risk subrecipients. In high volume situations, maybe a different percentage of transactions could be reviewed depending on risk. Policies that treat everyone equally can be unwieldy and burdensome. Not implementing effective risk-based monitoring often leads to poor relationships with subrecipients and ineffective or cost-prohibitive monitoring as a result.
This should be a relatively straightforward area of compliance. It essentially can be broken down into receiving subrecipient audit reports and issuing management decisions on any relevant findings to the grant program. A management decision is a formal written response on findings related to your organization’s pass-through grant program. They may also include, if deemed necessary, responses to financial statement findings if pertinent to your grant program. The specific requirements of what must be included in the management decision are noted in 2 CFR 200.521.
However, many times, there is a lack of receipt of the audit, little to no tracking of the reports, and no follow-up on findings. An appropriate internal control would list all subrecipients with dates of audits received, number of findings noted, and the date on when management decisions are issued. A tracking tool should be implemented and monitored by appropriate grant personnel to ensure appropriate corrective actions are taken when needed.
Subrecipient Monitoring in Single Audit Requirements
Subrecipient monitoring has many different compliance requirements. However, appropriate and achievable risk assessment policies and procedures that dictate the amount of monitoring to be performed is paramount for success. After the policies, if your organization has standardized subawards and an appropriate audit tracking tool, the chances of incurring significant findings or questioned costs on subrecipient reimbursements is significantly reduced. Combine this with technical training (at the pass-through entity and subrecipient levels), and the risk of noncompliance is even further reduced. It is the pass-through entity’s responsibility to help ensure appropriate technical advice and training is provided.
Remember the goal is appropriate stewardship of grant funds and building relationships with subrecipients to ensure the grant objectives can be achieved.
We broke down various aspects of single audit for you to consider.