uniform guidance - lessons learned and to be learned · uniform guidance - lessons learned and to...

32
Uniform Guidance - Lessons Learned And To Be Learned Jerry E. Durham DAY MAY 23, 2017 3:35-4:50PM Assistant Director for Research and Compliance, Tennessee Comptroller of the Treasury Ann Fritz Finance Director, City of Saint Petersburg, FL Nancy Wishmeyer Controller, City of Aurora, Colorado MODERATOR SPEAKERS #GFOA2017 Jeff Markert Partner, KPMG LLP

Upload: others

Post on 05-Nov-2019

9 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

Uniform Guidance - Lessons Learned And To Be Learned

Jerry E. Durham

DAY ■ MAY 23, 2017 3:35-4:50PM

Assistant Director for Research and Compliance, Tennessee Comptroller of the Treasury

Ann Fritz Finance Director, City of Saint Petersburg, FL

Nancy WishmeyerController, City of Aurora, Colorado

MODERATOR

SPEAKERS

#GFOA2017

Jeff Markert Partner, KPMG LLP

Page 2: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

Agenda—Lessons Learned Internal control Polices and procedures Risk assessment Role of grants management systems Subrecipient risk assessment and monitoring Reporting

—Common findings under UG—Recent federal activity

Page 3: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

Internal Control

Page 4: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

4

Internal Control Requirements—Non-Federal entities must establish and maintain effective

internal control that provides reasonable assurance that entity is managing Federal award in compliance with Federal statutes, regulations, and terms and conditions of Federal award.

—Internal controls should be in compliance with: COSO (Internal Control Integrated Framework, issued by the

Committee of Sponsoring Organizations of the Treadway Commission), and

Green Book (Standards for Internal Control in the Federal Government, issued by the Comptroller General of the United States)

Green Book has similar structure to COSO.

Page 5: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

5

What is Internal Control?AICPA (AU-C 315.04) Green Book (OV1.01) and COSO

Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved.

Page 6: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

6

Entity Level and Process Level ControlsControl

EnvironmentRisk

AssessmentInformation and Communication Monitoring Control

Activities

Entity Level Controls

Process Level Controls

Higher Level Controls

Controls that do not specifically relate to an assertion

Controls that specifically relate to an assertion

Page 7: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

7

Internal Control –Lessons Learned—Focus on control activities at the compliance requirement

level Avoid natural tendency to focus solely on financial

reporting controls—Documentation is time consuming and a continuous work in

process—Different methods/tools may be appropriate Questionnaires Narratives Flow charts

Many organizations had very little internal control documentation prior to UG.

Page 8: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

8

Internal Control –Lessons Learned—Staff often do not understand their internal control

responsibilities—Evaluation of internal control design and operating

effectiveness need to be performed by someone—Need to take reasonable measures to safeguard to PII—Ensure you understand the difference between a process vs.

a control

Knowledgeable, committed staff are key to integrity of internal controls.

Page 9: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

9

Distinguishing a Process from a Control

Business Process

The activity performed by the process owner.

Includes a series of steps to initiate, recognize and

disclose business transactions in a particular

period.

A process activity are where an error can

occur.

Internal Control

Activities that mitigate processing risk (either

directly or indirectly) in an entity’s business process

to an acceptable level.

An activity that is performed to prevent or

detect an error.

Page 10: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

Policies and Procedures

Page 11: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

11

Written policies required by UG

“Written Policy” references in UG (25 times)

Financial management – section 200.302

Payment – section 200.305

Procurement – sections 200.318, 200.319, and 200.320

Compensation – sections 200.430 and 200.431

Relocation costs – section 200.464

Travel costs – section 200.474

Page 12: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

12

Policies and Procedures–Lessons Learned—Decentralized environment presents challenges for

establishing consistent and appropriate policies and procedures

—Consider use of grants management steering committee

—Essential to incorporate policies and procedures into training

—Utilize grants administration manual

Updates ordinarily must be approved by multiple stakeholders.

Page 13: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

Risk Assessment

Page 14: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

14

Risk Assessment–Lessons Learned—Understand the difference between entity-wide

level and compliance requirement level—Risk assessment should also be performed at the

federal program/compliance requirement level

Consider involving internal audit.

Page 15: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

Role of Grants Management System

Page 16: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

16

Grants Management System–Lessons Learned—Important to have grants management module

that identifies federal programs and related costs on front end

—Separately identify pre and post UG awards

Take advantage of electronic system capabilities!!!

Page 17: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

Subrecipient Risk Assessment and Monitoring

Page 18: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

18

Pass-Through Entity Requirements—Each subaward must clearly be identified as subaward and include

standard data elements, including: Requirements imposed by pass-through entity Provision for indirect costs

• Either negotiated or a de minimis rate of 10%

—Clarifies Federal expectations for pass-through entities Consolidates and clarifies subrecipient monitoring Must evaluate each subrecipient’s risk of noncompliance for purposes

of determining appropriate monitoring. Evaluation may include:

Prior experience with similar subawards

Results of previous audits

Whether subrecipient has new personnel or

systems

Extent and results of Federal awarding agency

monitoring

Page 19: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

19

Pass-Through Entity Requirements—Monitoring activities must include: Reviewing financial and programmatic reports required by pass-

through entity Following up on corrective action Issuing management decisions Verifying every subrecipient is audited as required by Subpart F Consider taking enforcement action against noncompliant

subrecipients

—Based on risk assessment, following monitoring tools may be used: Providing training to subrecipients Performing on-site reviews Arranging for agreed-upon procedures engagements

Page 20: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

20

Subrecipient Risk Assessment and Monitoring–Lessons Learned—Fundamental change in mindset from a post-award to pre-

award focus Historically looked at as a back end process Getting information upfront is difficult

—Subrecipient monitoring is more than just checking a box—Difficult to link risk assessment for subrecipient to

monitoring activities performed—Consider centralizing monitoring activities for fiscal and

administrative

Treat subrecipients like an extension of your organization.

Page 21: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

21

Subrecipient Risk Assessment and Monitoring –Questions to ask?— How does the PTE ensure all information required to be communicated to a

subrecipient has been communicated?— Does the PTE’s evaluation of risk include consideration of appropriate factors?— What are the responsibilities of the subrecipient in relation to the program?

(e.g., determine eligibility, provide services, case management)— What compliance requirements are applicable at the subrecipient level?

Almost always: Allowability, Cash Management, Reporting, Period of Performance, Procurement, Suspension, and Debarment.

Often: Eligibility, Matching, Level of Effort, Earmarking, etc.

— How does the PTE ensure that costs incurred by a subrecipient are for allowable items and other applicable requirements are met?

Consider using subrecipient matrix of direct and material compliance requirements to document monitoring activities by compliance requirement.

Page 22: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

Reporting

Page 23: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

23

Schedule of Expenditures of Federal Awards (SEFA) • Face of SEFA must include all Federal awards expended including:

• Footnotes to SEFA must include:

Noncash assistance

Loan programs (beginning balance of outstanding loans plus loans disbursed during

period plus interest subsidy, cash, or

administrative cost allowance)

Loan guarantee programs

Amounts passed through to

subrecipients for each program

Year-end loan balances

Whether or not entity used 10% de minimus cost rate

Significant accounting

policies

Page 24: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

24

Reporting–Lessons Learned—High error rate in submissions to FAC Common errors include:

• Not including all required elements on SEFA• Stating whether or not organization is using the 10% indirect cost

rate• Stating whether the financial statements were prepared in

accordance with GAAP• Disclosing in findings whether sample was statistically valid• Disclosing in findings whether the finding was reported in the prior

year

Gather relevant grant information in one place.

Page 25: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

25

Reporting–Lessons Learned—Reports are significantly more visible now that they

are publically available

—Need to include separate corrective action plan “Views of Responsible Officials” is not sufficient

CAP and SSPAF must include both GAGAS and UG findings.

Page 26: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

Common Findings under UG

Page 27: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

27

Common Findings under UG—NFE not able to identify pre and post UG expenditures—PTE did not make subrecipient aware of award information

required by 200.331(a)—PTE did not adequately perform risk assessment of

subrecipients to determine appropriate monitoring and/or did not document

—PTE did not adequately document risk assessment —PTE did not update monitoring procedures and tools based on

UG

Whether the lack of written policies under UG, by it self, results in a reportable finding appears to be a facts and circumstances evaluation based on nature of noncompliance and control deficiencies identified.

Page 28: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

28

Common Findings under UG—PTE did not adequately perform or had missing monitoring

activities—NFE did not have effective internal control over direct and

material compliance requirements—NFE did not comply with procurement requirements of UG—SEFA not including all required elements under UG

Page 29: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

Recent Federal Activity

Page 30: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

30

OMB Activity— Potential delay of COFAR Frequent Asked Questions (FAQ) — Procurement Status of micro purchase threshold increase Potential extension of “procurement delay” for third year

— SEFA pilot project (Federal Auditing Clearinghouse) Goal is to eliminate separate preparation and presentation of SEFA 20 participants in recent project Expected to be incorporated into FAC in 2019

— Future CFDA number format changes From XX.XXX to XXX.XXXX

• First three digits to align with federal agency number used by Treasury• Last four digits to provide greater flexibility to agencies in assigning program numbers

— 2017 Compliance Supplement

Page 31: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

31

2017 Compliance Supplement— No major changes, but one clarification to two year look back ruleWhen OMB adds a new CFDA number to a cluster listed in Part 5, the cluster does not meet the two-year look back unless the client’s current year expenditures for the new CFDA number were less than or equal to twenty-five percent (0.25) of the Type A threshold. For example:— Type A threshold $750,000. — Cluster ABC (93.123, 93.125 and 93.127) was audited in 2015 with no audit

findings.— The 2017 Compliance Supplement added CFDA 93.129 to the cluster. — The organization's expenditures for 2017 were:— 93.123: $ 300,00093.125: $ 400,000 93.127: $ 500,000 93.129: $ 300,000— 2017 major program determination: Cluster ABC was audited in 2015. However,

because the organization's current year expenditures for CFDA 93.129 exceed $187,500 (0.25 of the Type A threshold), cluster ABC fails the two-year look back criteria.

Page 32: Uniform Guidance - Lessons Learned And To Be Learned · Uniform Guidance - Lessons Learned And To Be Learned. Jerry E. Durham . DAY MAY 23, 2017. 3:35-4:50. PM. Assistant Director

32

Student Financial Aid—SFA as a major program issue Same process as 2016 (send email)

—Gramm Leach Bliley (Cybersecurity) update To be tested starting in 2018