uniform guidance - lessons learned and to be learned uniform guidance - lessons learned and to be...
Post on 05-Nov-2019
Embed Size (px)
Uniform Guidance - Lessons Learned And To Be Learned
Jerry E. Durham
DAY ■ MAY 23, 2017 3:35-4:50PM
Assistant Director for Research and Compliance, Tennessee Comptroller of the Treasury
Ann Fritz Finance Director, City of Saint Petersburg, FL Nancy Wishmeyer Controller, City of Aurora, Colorado
Jeff Markert Partner, KPMG LLP
Agenda —Lessons Learned Internal control Polices and procedures Risk assessment Role of grants management systems Subrecipient risk assessment and monitoring Reporting
—Common findings under UG —Recent federal activity
Internal Control Requirements —Non-Federal entities must establish and maintain effective
internal control that provides reasonable assurance that entity is managing Federal award in compliance with Federal statutes, regulations, and terms and conditions of Federal award.
—Internal controls should be in compliance with: COSO (Internal Control Integrated Framework, issued by the
Committee of Sponsoring Organizations of the Treadway Commission), and
Green Book (Standards for Internal Control in the Federal Government, issued by the Comptroller General of the United States)
Green Book has similar structure to COSO.
What is Internal Control? AICPA (AU-C 315.04) Green Book (OV1.01) and COSO
Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved.
Entity Level and Process Level Controls Control
Assessment Information and Communication Monitoring
Entity Level Controls
Process Level Controls
Higher Level Controls
Controls that do not specifically relate to an assertion
Controls that specifically relate to an assertion
Internal Control –Lessons Learned —Focus on control activities at the compliance requirement
level Avoid natural tendency to focus solely on financial
reporting controls —Documentation is time consuming and a continuous work in
process —Different methods/tools may be appropriate Questionnaires Narratives Flow charts
Many organizations had very little internal control documentation prior to UG.
Internal Control –Lessons Learned —Staff often do not understand their internal control
responsibilities —Evaluation of internal control design and operating
effectiveness need to be performed by someone —Need to take reasonable measures to safeguard to PII —Ensure you understand the difference between a process vs.
Knowledgeable, committed staff are key to integrity of internal controls.
Distinguishing a Process from a Control
The activity performed by the process owner.
Includes a series of steps to initiate, recognize and
disclose business transactions in a particular
A process activity are where an error can
Activities that mitigate processing risk (either
directly or indirectly) in an entity’s business process
to an acceptable level.
An activity that is performed to prevent or
detect an error.
Policies and Procedures
Written policies required by UG
“Written Policy” references in UG (25 times)
Financial management – section 200.302
Payment – section 200.305
Procurement – sections 200.318, 200.319, and 200.320
Compensation – sections 200.430 and 200.431
Relocation costs – section 200.464
Travel costs – section 200.474
Policies and Procedures–Lessons Learned —Decentralized environment presents challenges for
establishing consistent and appropriate policies and procedures
—Consider use of grants management steering committee
—Essential to incorporate policies and procedures into training
—Utilize grants administration manual
Updates ordinarily must be approved by multiple stakeholders.
Risk Assessment–Lessons Learned —Understand the difference between entity-wide
level and compliance requirement level —Risk assessment should also be performed at the
federal program/compliance requirement level
Consider involving internal audit.
Role of Grants Management System
Grants Management System–Lessons Learned —Important to have grants management module
that identifies federal programs and related costs on front end
—Separately identify pre and post UG awards
Take advantage of electronic system capabilities!!!
Subrecipient Risk Assessment and Monitoring
Pass-Through Entity Requirements —Each subaward must clearly be identified as subaward and include
standard data elements, including: Requirements imposed by pass-through entity Provision for indirect costs
• Either negotiated or a de minimis rate of 10%
—Clarifies Federal expectations for pass-through entities Consolidates and clarifies subrecipient monitoring Must evaluate each subrecipient’s risk of noncompliance for purposes
of determining appropriate monitoring. Evaluation may include:
Prior experience with similar subawards
Results of previous audits
Whether subrecipient has new personnel or
Extent and results of Federal awarding agency
Pass-Through Entity Requirements —Monitoring activities must include: Reviewing financial and programmatic reports required by pass-
through entity Following up on corrective action Issuing management decisions Verifying every subrecipient is audited as required by Subpart F Consider taking enforcement action against noncompliant
—Based on risk assessment, following monitoring tools may be used: Providing training to subrecipients Performing on-site reviews Arranging for agreed-upon procedures engagements
Subrecipient Risk Assessment and Monitoring– Lessons Learned —Fundamental change in mindset from a post-award to pre-
award focus Historically looked at as a back end process Getting information upfront is difficult
—Subrecipient monitoring is more than just checking a box —Difficult to link risk assessment for subrecipient to
monitoring activities performed —Consider centralizing monitoring activities for fiscal and
Treat subrecipients like an extension of your organization.
Subrecipient Risk Assessment and Monitoring – Questions to ask? — How does the PTE ensure all information required to be communicated to a
subrecipient has been communicated? — Does the PTE’s evaluation of risk include consideration of appropriate factors? — What are the responsibilities of the subrecipient in relation to the program?
(e.g., determine eligibility, provide services, case management) — What compliance requirements are applicable at the subrecipient level?
Almost always: Allowability, Cash Management, Reporting, Period of Performance, Procurement, Suspension, and Debarment.
Often: Eligibility, Matching, Level of Effort, Earmarking, etc.
— How does the PTE ensure that costs incurred by a subrecipient are for allowable items and other applicable requirements are met?
Consider using subrecipient matrix of direct and material compliance requirements to document monitoring activities by compliance requirement.
Schedule of Expenditures of Federal Awards (SEFA) • Face of SEFA must include all Federal awards expended including:
• Footnotes to SEFA must include:
Loan programs (beginning balance of outstanding loans plus loans disbursed during
period plus interest subsidy, cash, or
administrative cost allowance)
Loan guarantee programs
Amounts passed through to
subrecipients for each program
Year-end loan balances
Whether or not entity used 10% de minimus cost rate
Reporting–Lessons Learned —High error rate in submissions to FAC Common errors include:
• Not including all required elements on SEFA • Stating whether or not organization is using the 10% indirect cost
rate • Stating whether the financial statements were prepared in
accordance with GAAP • Disclosing in findings whether sample was statistically valid • Disclosing in findings whether the finding was reported in the prior
Gather relevant grant information in one place.
Reporting–Lessons Learned —Reports are signifi