uniform guidance - lessons learned and to be learned uniform guidance - lessons learned and to be...

Download Uniform Guidance - Lessons Learned And To Be Learned Uniform Guidance - Lessons Learned And To Be Learned

Post on 05-Nov-2019




0 download

Embed Size (px)


  • Uniform Guidance - Lessons Learned And To Be Learned

    Jerry E. Durham

    DAY ■ MAY 23, 2017 3:35-4:50PM

    Assistant Director for Research and Compliance, Tennessee Comptroller of the Treasury

    Ann Fritz Finance Director, City of Saint Petersburg, FL Nancy Wishmeyer Controller, City of Aurora, Colorado




    Jeff Markert Partner, KPMG LLP

  • Agenda —Lessons Learned  Internal control  Polices and procedures  Risk assessment  Role of grants management systems  Subrecipient risk assessment and monitoring  Reporting

    —Common findings under UG —Recent federal activity

  • Internal Control

  • 4

    Internal Control Requirements —Non-Federal entities must establish and maintain effective

    internal control that provides reasonable assurance that entity is managing Federal award in compliance with Federal statutes, regulations, and terms and conditions of Federal award.

    —Internal controls should be in compliance with:  COSO (Internal Control Integrated Framework, issued by the

    Committee of Sponsoring Organizations of the Treadway Commission), and

     Green Book (Standards for Internal Control in the Federal Government, issued by the Comptroller General of the United States)

    Green Book has similar structure to COSO.

  • 5

    What is Internal Control? AICPA (AU-C 315.04) Green Book (OV1.01) and COSO

    Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved.

  • 6

    Entity Level and Process Level Controls Control

    Environment Risk

    Assessment Information and Communication Monitoring

    Control Activities

    Entity Level Controls

    Process Level Controls

    Higher Level Controls

    Controls that do not specifically relate to an assertion

    Controls that specifically relate to an assertion

  • 7

    Internal Control –Lessons Learned —Focus on control activities at the compliance requirement

    level  Avoid natural tendency to focus solely on financial

    reporting controls —Documentation is time consuming and a continuous work in

    process —Different methods/tools may be appropriate  Questionnaires  Narratives  Flow charts

    Many organizations had very little internal control documentation prior to UG.

  • 8

    Internal Control –Lessons Learned —Staff often do not understand their internal control

    responsibilities —Evaluation of internal control design and operating

    effectiveness need to be performed by someone —Need to take reasonable measures to safeguard to PII —Ensure you understand the difference between a process vs.

    a control

    Knowledgeable, committed staff are key to integrity of internal controls.

  • 9

    Distinguishing a Process from a Control

    Business Process

    The activity performed by the process owner.

    Includes a series of steps to initiate, recognize and

    disclose business transactions in a particular


    A process activity are where an error can


    Internal Control

    Activities that mitigate processing risk (either

    directly or indirectly) in an entity’s business process

    to an acceptable level.

    An activity that is performed to prevent or

    detect an error.

  • Policies and Procedures

  • 11

    Written policies required by UG

    “Written Policy” references in UG (25 times)

    Financial management – section 200.302

    Payment – section 200.305

    Procurement – sections 200.318, 200.319, and 200.320

    Compensation – sections 200.430 and 200.431

    Relocation costs – section 200.464

    Travel costs – section 200.474

  • 12

    Policies and Procedures–Lessons Learned —Decentralized environment presents challenges for

    establishing consistent and appropriate policies and procedures

    —Consider use of grants management steering committee

    —Essential to incorporate policies and procedures into training

    —Utilize grants administration manual

    Updates ordinarily must be approved by multiple stakeholders.

  • Risk Assessment

  • 14

    Risk Assessment–Lessons Learned —Understand the difference between entity-wide

    level and compliance requirement level —Risk assessment should also be performed at the

    federal program/compliance requirement level

    Consider involving internal audit.

  • Role of Grants Management System

  • 16

    Grants Management System–Lessons Learned —Important to have grants management module

    that identifies federal programs and related costs on front end

    —Separately identify pre and post UG awards

    Take advantage of electronic system capabilities!!!

  • Subrecipient Risk Assessment and Monitoring

  • 18

    Pass-Through Entity Requirements —Each subaward must clearly be identified as subaward and include

    standard data elements, including:  Requirements imposed by pass-through entity  Provision for indirect costs

    • Either negotiated or a de minimis rate of 10%

    —Clarifies Federal expectations for pass-through entities  Consolidates and clarifies subrecipient monitoring  Must evaluate each subrecipient’s risk of noncompliance for purposes

    of determining appropriate monitoring. Evaluation may include:

    Prior experience with similar subawards

    Results of previous audits

    Whether subrecipient has new personnel or


    Extent and results of Federal awarding agency


  • 19

    Pass-Through Entity Requirements —Monitoring activities must include:  Reviewing financial and programmatic reports required by pass-

    through entity  Following up on corrective action  Issuing management decisions  Verifying every subrecipient is audited as required by Subpart F  Consider taking enforcement action against noncompliant


    —Based on risk assessment, following monitoring tools may be used:  Providing training to subrecipients  Performing on-site reviews  Arranging for agreed-upon procedures engagements

  • 20

    Subrecipient Risk Assessment and Monitoring– Lessons Learned —Fundamental change in mindset from a post-award to pre-

    award focus  Historically looked at as a back end process  Getting information upfront is difficult

    —Subrecipient monitoring is more than just checking a box —Difficult to link risk assessment for subrecipient to

    monitoring activities performed —Consider centralizing monitoring activities for fiscal and


    Treat subrecipients like an extension of your organization.

  • 21

    Subrecipient Risk Assessment and Monitoring – Questions to ask? — How does the PTE ensure all information required to be communicated to a

    subrecipient has been communicated? — Does the PTE’s evaluation of risk include consideration of appropriate factors? — What are the responsibilities of the subrecipient in relation to the program?

    (e.g., determine eligibility, provide services, case management) — What compliance requirements are applicable at the subrecipient level?

     Almost always: Allowability, Cash Management, Reporting, Period of Performance, Procurement, Suspension, and Debarment.

     Often: Eligibility, Matching, Level of Effort, Earmarking, etc.

    — How does the PTE ensure that costs incurred by a subrecipient are for allowable items and other applicable requirements are met?

    Consider using subrecipient matrix of direct and material compliance requirements to document monitoring activities by compliance requirement.

  • Reporting

  • 23

    Schedule of Expenditures of Federal Awards (SEFA) • Face of SEFA must include all Federal awards expended including:

    • Footnotes to SEFA must include:

    Noncash assistance

    Loan programs (beginning balance of outstanding loans plus loans disbursed during

    period plus interest subsidy, cash, or

    administrative cost allowance)

    Loan guarantee programs

    Amounts passed through to

    subrecipients for each program

    Year-end loan balances

    Whether or not entity used 10% de minimus cost rate

    Significant accounting


  • 24

    Reporting–Lessons Learned —High error rate in submissions to FAC  Common errors include:

    • Not including all required elements on SEFA • Stating whether or not organization is using the 10% indirect cost

    rate • Stating whether the financial statements were prepared in

    accordance with GAAP • Disclosing in findings whether sample was statistically valid • Disclosing in findings whether the finding was reported in the prior


    Gather relevant grant information in one place.

  • 25

    Reporting–Lessons Learned —Reports are signifi


View more >