There’s an old saying: "To a hammer, everything looks like a nail". To an auditor, everything can look like an audit—even when it’s not an audit, but a subrecipient monitoring review.
Although there is overlap, auditing and subrecipient monitoring are distinctly different professions governed by different rules. When it comes to risk assessments, this is especially important. That’s because Single Audits—required of agencies accepting federal funds—and other audits routinely find that pass-through entities “violate” risk assessment procedures in determining what organizations to monitor.
This results in the dreaded audit finding.
For example, one state’s Single Audit found that the pass-through entity improperly determined that subrecipients were low risk despite negative publicity and significant leadership turnover. Auditors disagreed with the pass-through entity that only subrecipients that distribute grants are high risk.
These are valid points for discussion, but there’s a problem: the auditor’s preferred methodology is not prescribed in any authority that governs monitoring. And citing an agency for failing to follow methodologies that the auditor created—even when they might be logical—is patently unfair. It’s the classic conundrum: How can an auditee be cited for failing to follow a rule that doesn’t exist?
The proper way to handle what auditors perceive as inadequate risk assessments is to raise the issue, but without creating a finding. Kudos to the Office of the Inspector General for the U.S. Department of the Interior for doing just that. In a December 11, 2018 Audit Report, auditors noted the importance of formalized and documented risk assessments, but acknowledged that the regulatory language is not explicit in requiring them. Instead, it recommended that the federal agency provide additional program guidance.
The Purpose of Monitoring
Besides unfairly creating audit findings not linked to rules, imposing overly restrictive or strictly financial-based audit methodologies on monitoring reviews detracts from a key purpose of monitoring: to determine whether grant purposes are being fulfilled.
2 CFR §200.331(d), a section of the Uniform Guidance that governs monitoring, requires pass-through entities to “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” (Emphasis added.)
In other words, monitors should ask not only whether expenditures are allowable under federal rules, but whether the money is helping students, people with disabilities, homeless veterans, disaster victims, endangered wildlife populations or other populations that grant funds are designed to benefit. This is something that auditors don’t ordinarily do.
The Uniform Guidance intentionally provides latitude in how monitoring programs are designed in order to allow organizations to focus more on whether the purposes of each grant are being fulfilled and less on traditional compliance, said Philip A. Maestri, Director of Risk Management Services for the U.S. Department of Education, who co-chaired the task force that created the Uniform Guidance.
“Monitoring should look very different than it did 20 years ago when monitoring was focused on compliance,” said Maestri, in an American School Board Journal article written by this author.
What the Regulations Actually Say
Let’s dive a bit deeper into what the regulations actually say about risk assessments that frame the subrecipient monitoring plan.
Subrecipient monitoring is governed by Title 2 of the Code of Federal Regulations, Part 200, entitled Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards. Under the Uniform Guidance, as it is commonly called, a “pass-through entity” receives federal funds and passes them through to subrecipients. Technically, a pass-through entity is a non-Federal entity that provides a subaward to a subrecipient to carry out part of a Federal program.
2 CFR §200.331(b) requires all pass-through entities to evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for the purposes of determining the appropriate monitoring needed to ensure that Federal funds are used properly.
Historically, pass-through entities used cyclical sampling to ensure that all subrecipients were monitored equally over a set period of time, such as three to five years. In 2014, the federal Office of Management and Budget (OMB) consolidated multiple OMB circulars governing cost principles for federal grants, resulting in the set of standards called the Uniform Guidance, the SuperCircular or the OmniCircular. Its adoption signified a shift in how entities are chosen for monitoring.
In requiring a risk-based process, the Uniform Guidance recognizes that high-risk subrecipients should be addressed more quickly and thoroughly than low-risk entities. The risk-based approach also reduces regulatory burden on grant recipients that are compliant and performing well.
According to §200.331(b) risk factors that “may” be considered include:
The subrecipient's prior experience with the same or similar subawards;
The results of previous audits, including whether or not the subrecipient receives a Single Audit in accordance with Subpart F—Audit Requirements of this part, and the extent to which the same or similar subaward has been audited as a major program;
Whether the subrecipient has new personnel or new or substantially changed systems; and
The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
But auditors can confuse this language with language governing risk assessments for audits. One Single Audit auditor went so far as to replace the word “may” with a mandate by saying “the Uniform Guidance requires the risk assessment procedures to include, among other things, the results of recent audits/reviews and the amount of federal funding passed through to the subrecipient.”
In reality, the Uniform Guidance provides only guidance on risk assessment methods. It is silent on sampling methodologies, such as criteria for sampling, sample size, or methodology for stratifying operating units within a subrecipient organization. Ultimately, the risk assessment methodology is left to the professional judgment of the pass-through entity.
The Every Student Succeeds Act of 2015--one of many acts that govern the programmatic aspects of grants monitoring—concurs. It contains multiple references to required monitoring, but it also does not prescribe a risk assessment or sampling methodology.
So given that flexibility, how might a risk assessment be designed?
Continue reading in part two: "Designing A Risk Assessment".