Grants Monitoring: How Auditors Get it Wrong on Risk Assessments
There’s an old saying that To a Hammer, Everything Looks Like a Nail. To an auditor, everything can look like an audit—even when it’s not an audit, but a subrecipient monitoring review.
Although there is overlap, auditing and subrecipient monitoring are distinctly different professions governed by different rules. When it comes to risk assessments, this is especially important. That’s because Single Audits—required of agencies accepting federal funds—and other audits routinely find that pass-through entities “violate” risk assessment procedures in determining what organizations to monitor. This results in the dreaded audit finding. |
|
For example, one state’s Single Audit found that the pass-through entity improperly determined that subrecipients were low risk despite negative publicity and significant leadership turnover. Auditors disagreed with the pass-through entity that only subrecipients that distribute grants are high risk.
These are valid points for discussion, but there’s a problem: the auditor’s preferred methodology is not prescribed in any authority that governs monitoring. And citing an agency for failing to follow methodologies that the auditor created—even when they might be logical—is patently unfair. It’s the classic conundrum: How can an auditee be cited for failing to follow a rule that doesn’t exist?
The proper way to handle what auditors perceive as inadequate risk assessments is to raise the issue, but without creating a finding. Kudos to the Office of the Inspector General for the U.S. Department of the Interior for doing just that. In a December 11, 2018 Audit Report, auditors noted the importance of formalized and documented risk assessments, but acknowledged that the regulatory language is not explicit in requiring them. Instead, it recommended that the federal agency provide additional program guidance.
These are valid points for discussion, but there’s a problem: the auditor’s preferred methodology is not prescribed in any authority that governs monitoring. And citing an agency for failing to follow methodologies that the auditor created—even when they might be logical—is patently unfair. It’s the classic conundrum: How can an auditee be cited for failing to follow a rule that doesn’t exist?
The proper way to handle what auditors perceive as inadequate risk assessments is to raise the issue, but without creating a finding. Kudos to the Office of the Inspector General for the U.S. Department of the Interior for doing just that. In a December 11, 2018 Audit Report, auditors noted the importance of formalized and documented risk assessments, but acknowledged that the regulatory language is not explicit in requiring them. Instead, it recommended that the federal agency provide additional program guidance.
It’s the classic conundrum: How can an auditee be cited for
failing to follow a rule that doesn’t exist?
The Purpose of Monitoring
Besides unfairly creating audit findings not linked to rules, imposing overly restrictive or strictly financial-based audit methodologies on monitoring reviews detracts from a key purpose of monitoring: to determine whether grant purposes are being fulfilled.
2 CFR §200.331(d), a section of the Uniform Guidance that governs monitoring, requires pass-through entities to “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” (Emphasis added.)
In other words, monitors should ask not only whether expenditures are allowable under federal rules, but whether the money is helping students, people with disabilities, homeless veterans, disaster victims, endangered wildlife populations or other populations that grant funds are designed to benefit. This is something that auditors don’t ordinarily do.
The Uniform Guidance intentionally provides latitude in how monitoring programs are designed in order to allow organizations to focus more on whether the purposes of each grant are being fulfilled and less on traditional compliance, said Philip A. Maestri, Director of Risk Management Services for the U.S. Department of Education, who co-chaired the task force that created the Uniform Guidance.
“Monitoring should look very different than it did 20 years ago when monitoring was focused on compliance,” said Maestri in an American School Board Journal article written by this author.
2 CFR §200.331(d), a section of the Uniform Guidance that governs monitoring, requires pass-through entities to “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” (Emphasis added.)
In other words, monitors should ask not only whether expenditures are allowable under federal rules, but whether the money is helping students, people with disabilities, homeless veterans, disaster victims, endangered wildlife populations or other populations that grant funds are designed to benefit. This is something that auditors don’t ordinarily do.
The Uniform Guidance intentionally provides latitude in how monitoring programs are designed in order to allow organizations to focus more on whether the purposes of each grant are being fulfilled and less on traditional compliance, said Philip A. Maestri, Director of Risk Management Services for the U.S. Department of Education, who co-chaired the task force that created the Uniform Guidance.
“Monitoring should look very different than it did 20 years ago when monitoring was focused on compliance,” said Maestri in an American School Board Journal article written by this author.
What the Regulations Actually Say
Let’s dive a bit deeper into what the regulations actually say about risk assessments that frame the subrecipient monitoring plan.
Subrecipient monitoring is governed by Title 2 of the Code of Federal Regulations, Part 200, entitled Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards. Under the Uniform Guidance, as it commonly called, a “pass-through entity” receives federal funds and passes them through to subrecipients. Technically, a pass-through entity is a non-Federal entity that provides a subaward to a subrecipient to carry out part of a Federal program.
2 CFR §200.331(b) requires all pass-through entities to evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for the purposes of determining the appropriate monitoring needed to ensure that Federal funds are used properly.
Historically, pass-through entities used cyclical sampling to ensure that all subrecipients were monitored equally over a set period of time, such as three to five years.
Let’s dive a bit deeper into what the regulations actually say about risk assessments that frame the subrecipient monitoring plan.
Subrecipient monitoring is governed by Title 2 of the Code of Federal Regulations, Part 200, entitled Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards. Under the Uniform Guidance, as it commonly called, a “pass-through entity” receives federal funds and passes them through to subrecipients. Technically, a pass-through entity is a non-Federal entity that provides a subaward to a subrecipient to carry out part of a Federal program.
2 CFR §200.331(b) requires all pass-through entities to evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for the purposes of determining the appropriate monitoring needed to ensure that Federal funds are used properly.
Historically, pass-through entities used cyclical sampling to ensure that all subrecipients were monitored equally over a set period of time, such as three to five years.
But in 2014, the federal Office of Management and Budget (OMB) consolidated multiple OMB circulars governing cost principles for federal grants, resulting in the set of standards called the Uniform Guidance, the SuperCircular or the OmniCircular. Its adoption signified a shift in how entities are chosen for monitoring.
In requiring a risk-based process, the Uniform Guidance recognizes that high-risk subrecipients should be addressed more quickly and thoroughly than low-risk entities. The risk-based approach also reduces regulatory burden on grant recipients that are compliant and performing well.
According to §200.331(b) risk factors that “may” be considered include:
But auditors can confuse this language with language governing risk assessments for audits. One Single Audit auditor went so far as to replace the word “may” with a mandate by saying “the Uniform Guidance requires the risk assessment procedures to include, among other things, the results of recent audits/reviews and the amount of federal funding passed through to the subrecipient.”
In reality, the Uniform Guidance provides only guidance on risk assessment methods. And it is silent on sampling methodologies such as criteria for sampling, sampling size, or methodology for stratifying operating units within a subrecipient organization. Therefore ultimately, the risk assessment methodology is left to the professional judgment of the pass-through entity.
The Every Student Succeeds Act of 2015--one of many acts that govern the programmatic aspects of grants monitoring—concurs. It contains multiple references to required monitoring, but it also does not prescribe a risk assessment or sampling methodology.
Designing a Risk Assessment
So given that flexibility, how might a risk assessment be designed?
First, given that a risk assessment is required, it’s evident that a risk assessment should be in writing so auditors can confirm its existence.
Second, dividing risks into categories is helpful to ensure that risks aren’t overly lopsided to the financial, compliance, or programmatic side. Based on the Uniform Guidance’s definition of monitoring, types of risks might include:
In requiring a risk-based process, the Uniform Guidance recognizes that high-risk subrecipients should be addressed more quickly and thoroughly than low-risk entities. The risk-based approach also reduces regulatory burden on grant recipients that are compliant and performing well.
According to §200.331(b) risk factors that “may” be considered include:
- The subrecipient's prior experience with the same or similar subawards;
- The results of previous audits, including whether or not the subrecipient receives a Single Audit in accordance with Subpart F—Audit Requirements of this part, and the extent to which the same or similar subaward has been audited as a major program;
- Whether the subrecipient has new personnel or new or substantially changed systems; and
- The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
But auditors can confuse this language with language governing risk assessments for audits. One Single Audit auditor went so far as to replace the word “may” with a mandate by saying “the Uniform Guidance requires the risk assessment procedures to include, among other things, the results of recent audits/reviews and the amount of federal funding passed through to the subrecipient.”
In reality, the Uniform Guidance provides only guidance on risk assessment methods. And it is silent on sampling methodologies such as criteria for sampling, sampling size, or methodology for stratifying operating units within a subrecipient organization. Therefore ultimately, the risk assessment methodology is left to the professional judgment of the pass-through entity.
The Every Student Succeeds Act of 2015--one of many acts that govern the programmatic aspects of grants monitoring—concurs. It contains multiple references to required monitoring, but it also does not prescribe a risk assessment or sampling methodology.
Designing a Risk Assessment
So given that flexibility, how might a risk assessment be designed?
First, given that a risk assessment is required, it’s evident that a risk assessment should be in writing so auditors can confirm its existence.
Second, dividing risks into categories is helpful to ensure that risks aren’t overly lopsided to the financial, compliance, or programmatic side. Based on the Uniform Guidance’s definition of monitoring, types of risks might include:
|
|
Next comes the assignment of specific risk factors—and both the Uniform Guidance and the audit profession offer some ideas in this regard. Based on 2 CFR §200.519, criteria for federal program risk for auditing purposes, these include:
Other criteria for risk assessment under audit methodologies include:
When single audits are performed on an annual basis and the auditors cite no material financial statement or internal control weaknesses under the requirements of the Generally Accepted Government Auditing Standards (“GAGAS”), also known as the “Yellow Book,” an entity is considered to be lower risk. An additional consideration includes whether the auditor expressed substantial doubt that an auditee could continue as a going concern.
But none of these are possible to measure unless the information is documented and available. So the monitoring team may need to look at objective, available data and they might consider looking at risk factors that directly affect whether the purposes of the grant are being achieved. For a school district, examples include whether the district:
- consideration of the internal control environment
- whether there are multiple internal control structures
- the systems for monitoring
- prior audit findings
- recent monitoring or other reviews that disclosed no significant problems
- the complexity of the program, and
- the types of expenditures.
Other criteria for risk assessment under audit methodologies include:
- significant changes in governing standards such as laws and statutes
- the phase of the program
- the size of the federal award, and
- whether the program is well-established.
When single audits are performed on an annual basis and the auditors cite no material financial statement or internal control weaknesses under the requirements of the Generally Accepted Government Auditing Standards (“GAGAS”), also known as the “Yellow Book,” an entity is considered to be lower risk. An additional consideration includes whether the auditor expressed substantial doubt that an auditee could continue as a going concern.
But none of these are possible to measure unless the information is documented and available. So the monitoring team may need to look at objective, available data and they might consider looking at risk factors that directly affect whether the purposes of the grant are being achieved. For a school district, examples include whether the district:
- Has an embedded Internal Audit unit
- Has an Inspector General's office
- Has an experienced and substantial financial team in place
- Had a Single Audit with material weaknesses
- Has a centralized financial system for all schools
- Has a functional Audit Committee
- Meets its goals in academic achievement, student attendance, high school graduations, and so forth.
For a school, programmatic examples—some of which speak to management effectiveness—include:
After risk indicators are identified, each should be assigned a value or weight, recommends the U.S. Department of Education. The Department states that creating a risk framework ensures consistency in reviews and includes the following steps:
That last step is one more indication that pass-through entities are accorded a high level of flexibility in designing risk- and resource-based monitoring programs. And while risk frameworks are important, they should be designed by the program managers who know the programs best.
- Principal turnover
- Student achievement scores
- Teacher attendance
- Student attendance
- Chronic truancy
- Teacher retention
- Parent Involvement
After risk indicators are identified, each should be assigned a value or weight, recommends the U.S. Department of Education. The Department states that creating a risk framework ensures consistency in reviews and includes the following steps:
- Identify appropriate risk indicators and assign each a value or weight.
- Evaluate and rank subrecipients and programs based on relative risk.
- Identify available monitoring resources and staff – weigh against monitoring needs.
- Adjust monitoring plan, including monitoring activities and schedule based on risk and resource assessments.
That last step is one more indication that pass-through entities are accorded a high level of flexibility in designing risk- and resource-based monitoring programs. And while risk frameworks are important, they should be designed by the program managers who know the programs best.
|
Maribeth Vander Weele is
President of the Vander Weele Group |
|