Across the United States, watchdog entities such as Inspectors General and State Auditors regularly assess the work of grant-making agencies tasked with carefully monitoring both their own use of federal funds and use by subrecipients and grantees. Every year, dozens of agencies are penalized for inadequate internal controls and insufficient, incomplete, or non-existent monitoring programs.
In an analysis of 56 audit reports at both the state and Federal levels, the Vander Weele Group reviewed 714 findings related to deficiencies in either internal controls or subrecipient monitoring. A breakdown of the results is included below.
Internal Controls
Insufficient internal controls were far and away the most common finding, noted in areas as diverse as information technology, subrecipient monitoring, eligibility testing, and reconciliations.
Significant examples of the impact of inadequate internal controls from these reports include:
Millions of dollars in payments made on ineligible or unsupported applications for pandemic relief funding to support displaced and disabled students;
Fraudulent purchases (totaling more than half a million dollars in one state) made using educational grants intended to support needy families;
Unemployment compensation payments made on fraudulent claims (nearly $20 million in one state) and to deceased claimants;
Children's Health Insurance Program (CHIP) reimbursement claims drastically in excess of the federal limit; and
Unallowable reimbursements (totaling more than $15 million in one state) made to state agencies using COVID-19 relief funds.
Staffing challenges, lack of training, insufficient or flawed technological resources, insufficient documentation or communication of policies, and weak fraud prevention protocols were identified as reasons for substandard internal control processes and procedures.
Reporting Requirements
Uneven implementation of federal or state reporting requirements was a common finding, both at the agency level and among subrecipients. Typically, findings were focused on the completeness and consistency of reports, whether assurances could be made concerning the accuracy of data, and whether sufficient supporting documentation of various kinds was available.
Mistakes in reporting were attributed to human error, employee or subrecipient inexperience, a lack of written policies governing reporting, a lack of documented guidance provided to subrecipients, gaps in internal controls related to information technology, and technical problems with online reporting systems.
Documentation
A significant number of programs received findings related to documentation, whether it was for incomplete records, missing required elements, clerical errors, or lack of retention.
In more than one case, agencies did not notify subrecipients and grantees of their obligation to collect, record, or submit specific types of documentation. Among those that did, several were reprimanded for collecting insufficient or inappropriate documentation (for example, screenshots of a financial database or documentation from prior fiscal years). Some were constrained by financial systems which did not properly retain documentation year-over-year, preventing auditors from evaluating whether departmental procedures had been followed. Other agencies lacked procedures to provide or maintain documentation on behalf of subrecipients. Still others could not produce their own documentation to support assurances that grant funds were used in compliance with federal law and the award terms.
Lack of training was consistently the most cited cause for this finding, followed by a lack of written retention policies, failure to effectively communicate retention policies (including to subrecipients and contractors), and technological issues.
Monitoring
Despite it being mandatory, there were numerous instances in which agencies had no monitoring programs in place or did not execute any monitoring activities. Even among those that did, the quality and completeness of their monitoring plans—and the extent to which they followed them—varied significantly.
In a review of three states’ use of Governor’s Emergency Education Relief Fund (GEER) funds, two were found to have no written monitoring plans in place for some or all the initiatives under review. One state also did not provide subrecipients with required information designed to ensure compliance with the terms and conditions of various subawards. In state single audits nationwide, several agencies did not select subrecipients for monitoring based on the results of their risk assessment. Multiple agencies were cited for failing to notify subrecipients of audit requirements. Many of these did not ensure that mandatory single audits were performed in cases where subrecipients reached or exceeded the $750,000 threshold. In a few cases, major departments were unaware of their obligation to monitor subrecipients at all.
In many cases, staffing challenges, lack of training, aging infrastructure, and the ongoing effects of the COVID-19 pandemic were cited as contributing factors to absent or deficient monitoring.
Risk Assessment
Conducting risk assessments is a key component of, among other mandatory processes, subrecipient monitoring, as decisions about who will be monitored are required to be risk-based. However, in the case of findings related to risk assessments, the most common was that they had not been conducted, or if they had, the auditors could not be reasonably assured they were conducted in compliance with federal standards. This was sometimes true even in cases in which the agency had a formal risk assessment process in place.
Another recurring finding was that although risk assessments had been conducted, they were either not being used to identify subrecipients at greatest risk for misuse of federal funds, or those subrecipients were not being selected to undergo monitoring. Lack of training—specifically, a lack of knowledge concerning the requirement to conduct risk assessments—was the primary reason offered for these findings.
Financial Reporting and Expenditures
Missing or inaccurate financial reports, delays in reconciling expenditures, and failure to review expenditures for allowability were common findings in the sample of reports reviewed for this study.
Staffing challenges, poor guidance, and deficient communications regarding allowable costs were the most cited causes, but in some cases, pass-through agencies failed entirely to communicate reporting requirements to subrecipients and grantees or did not review reports for completeness and accuracy.
Single Audits
During the COVID-19 pandemic, there was a dramatic increase in the number of findings wherein state agencies did not ensure that subrecipient single audits were conducted, or at minimum, could not provide verification of having done so. In others, while the Single Audits were performed, they were not reviewed for accuracy and completeness by the pass-through agency.
While this number has declined since 2021, responses from agency administrators in multiple reports continue to attribute these failings to the rapid rollout of COVID-19 relief funding and the frequency with which federal guidance changed, conflicted, or was released in an incomplete state.
Performance Assessment and Reporting
In 2020, performance assessments and reporting were almost universally late, incomplete, or missing across all levels of government and among subrecipients and grantees. The overwhelming majority of these were a direct result of the pandemic and its impact on both staffing and health and safety concerns around on-site visits.
In subsequent years, a return to something like business-as-usual has occurred. While there continue to be some delays in performance assessments and reporting, overall rates of completion improved significantly in 2021 and 2022.
Corrective Action Plans and Corrective Action Follow Up
In this category, as in several others, there was a marked reduction in the number of related findings, likely due to agencies returning to business-as-usual following the worst of the COVID-19 pandemic. Where findings did occur, they were most commonly concerned with a lack of follow-up by state agency personnel on the status of corrective action plans issued to subrecipients. Other recurring themes were failure to issue management decisions that would have allowed subrecipients to implement corrective actions plans and failure by agencies to implement corrective action plans provided during previous Single Audits.
The Future of Grants Monitoring
As federal and state agencies catch up on the enormous backlog of monitoring and auditing activities related to pandemic relief funds, evidence of significant fraud has come to light. Each week, new stories break regarding the theft and abuse of millions of dollars across multiple programs intended to support the public during the health crisis. Overall, experts estimate that roughly $80 billion (or 10%) of pandemic funds have been lost to theft and abuse.
The emerging investigations around these thefts underscore the importance of measures that prevent, detect, and respond to fraud, including regulations that mandate internal controls, risk assessments, policies and procedures, and monitoring reviews. In the words of the Vander Weele Group’s President and CEO, Maribeth Vander Weele: “This type of fraud isn't just damaging to program integrity, but to vulnerable members of our communities who were intended to benefit from them. As grant monitors, my team strives to prevent losses like these and to help ensure Federal and state funds are used to achieve the best possible outcomes. Stories like this make it clear there's still more work to be done, and it will take all of us pulling together to get there.”
Overwhelmed? The Vander Weele Group can help.
The Vander Weele Group provides turn-key oversight solutions for federal and state grant programs. We specialize in monitoring large-scale programs nationwide, combining grants monitoring expertise with industry-specific program experience. The firm offers traditional fiscal and compliance reviews, programmatic monitoring, risk assessments, internal control reviews, data analytics to detect fraud, forensic audits, best practice recommendations, and technical assistance for grantees.