The Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (uniform guidance) aims to prevent abuse of the billions of dollars of federal awards expended annually and ease the administrative burden on award recipients. But naturally, with change comes challenge, and the new guidance is no exception.
The uniform guidance represents comprehensive grant reform guidance that supersedes a number of Office of Management and Budget (OMB) circulars. It combines the former circulars into one common set of guidance that standardizes definitions and requirements, streamlines rules, and homogenizes requirements across nonfederal entity types.
In this series, we dive into a few of the more important areas to understand in the new guidance. First on the list: subrecipient monitoring requirements. In this first installment, we’ll cover the roles and responsibilities of organizations that pass federal funds through to subrecipients and outline some related best practices.
Impact of the Change in the Audit Threshold
Organizations receiving $500,000 or more of federal funds were subject to the single audit requirements under the OMB circulars that previously governed requirements for federal grants. That audit was usually the primary means of ensuring that subrecipients used passed-through federal funds appropriately. The uniform guidance raises this threshold to $750,000, which means about 5,000 organizations that were previously required to have a single audit under the OMB rules will no longer be required to do so.
This relieves a burden for many organizations, but it also leaves pass-through entities—those recipients of federal funds that in turn provide funds to other organizations—with the task of ensuring their subrecipients are using funds appropriately in the absence of a single audit.
What Is a Subrecipient?
Only subrecipients—not contractors, which used to be called vendors under previous guidance—are subject to the monitoring requirements outlined in the new guidance. For that reason, it’s imperative to understand the distinctions between the two. Although this is one of the more challenging determinations all pass-through entities and subrecipients must go through, the table below outlines the general characteristics of each type:
Pass-Through Entity Responsibilities
All subrecipients, regardless of award size, must be monitored under Subpart D of the uniform guidance, which provides a list of a pass-through entity’s related responsibilities. Many of the requirements are administrative in nature, such as the need to disclose to subrecipients the full name of the award, any stipulations imposed by the federal awarding agency or the pass-through entity, and the closeout terms and conditions.
Other requirements are more involved, particularly these three: performing a risk assessment of the subrecipient, monitoring the subrecipient, and following up on any audit findings or other issues revealed in that process. Let’s look at some best practices a pass-through entity should consider implementing in each of these key areas.
A pass-through entity should assess the risk of a subrecipient’s noncompliance with federal statutes, regulations, and the terms and conditions of the subaward at the outset of the relationship and at least annually afterward. Depending on the kind of work the subrecipient performs, it may make sense to reevaluate risk more frequently, even quarterly, to account for changes in the organization or the nature of its activities.
Risk assessments should include evaluation of both the magnitude of potential noncompliance and the probability that noncompliance will occur. Subrecipient characteristics to examine include:
- Prior experience with federal awards
- Results of any previous audits
- Personnel involved
- Extent and results of any monitoring by the federal awarding agency
- Policies and procedures
- Financial stability
- Management systems
- Complexity of award requirements
In your risk assessment, be explicit in the criteria you use to evaluate risk, and customize the risk factors you consider to suit the program in question. You should also consider creating a rubric of relevant risk factors, evaluating the entity in terms of risk (high, medium, or low) in each area, and then computing a final score that corresponds to a consistent set of monitoring procedures. An important element in risk assessment is documentation of the process and results. This is critical to ensuring that support is available in the event of an audit by external auditors or cognizant agency.
The overall level of risk you identify in the subrecipient should dictate the frequency and depth of your monitoring practices, including how you mitigate identified risks. You may, for example, choose to provide training and technical assistance, perform on-site reviews of program operations, or arrange for agreed-upon procedures to be performed by an independent third party to help you assess compliance. In some cases, your monitoring efforts may result in a determination to impose additional conditions on the subrecipient. (See Section 200.207 in the uniform guidance for examples.)
To lay a groundwork for quality monitoring, make sure you clearly identify necessary activities and the parties responsible for those activities. Review federal debarment lists regularly to ensure your subrecipients haven’t appeared on them. If you have internal auditors of your own, you may wish to have them conduct regular, detailed, and even on-site reviews; if not, you could consider procuring consultants or external auditors to assist in oversight audits or agreed-upon procedure engagements.
A few key characteristics of effective monitoring are:
- Data quality reviews
- Required progress reporting
- Site and desk reviews (especially important for large-scale projects)
- Compliance auditing
- The development of corrective action plans, as needed
Ideally, you should have a system in place for determining how you’ll monitor subrecipients. You might, for example, establish baseline monitoring procedures that you apply universally to all subrecipients at each risk level (low, medium, and high). From there, you’d customize your monitoring plan for each individual subrecipient to address specific areas of concern.
Particularly if your subrecipient’s programs are technical in nature, such as those of a research institute, consider whether separate teams should monitor program activities (for example, progress toward research goals) and fiscal activities (invoices, etc.). Be sure to involve principal investigators or others who are truly performing the work of the grant or program—not only the finance or accounting professionals who handle invoices and administrative activities.
Follow-up to Monitoring Efforts
The new guidance makes it explicit (rather than implied) that a pass-through entity must actively issue management decisions regarding audit findings identified during the monitoring process and that the subrecipient must implement remediation plans accordingly. Issues are bound to arise in arrangements between a subrecipient and a pass-through entity—there’s simply no way to prevent every possible situation. So just as important as ongoing monitoring of risk areas is how you address shortcomings. Ideally, this should be a collaborative process between a pass-through entity and its subrecipients.
Audit findings uncovered in the monitoring or auditing process are best discussed and agreed upon by both the pass-through entity’s reviewer as well as the subrecipient’s management. Any deficiencies must be identified to the subrecipient, which should be given a specified period of time—for example, 60 days—to submit a corrective action plan for the pass-through entity’s approval. This plan shouldn’t only correct the immediate problem but also should create future controls that prevent the situation from reoccurring. For example, if federal funds were used toward an unallowable activity, those funds should be recovered or otherwise resolved, and the corrective action plan might create a new preapproval process for future expenditures.
In the event of subrecipient noncompliance, consider issuing a memo to document the event, including the monitoring activities conducted, the findings, and any follow-up actions undertaken. In extreme cases—for example, the discovery that a subrecipient has been debarred by the federal government or spent $1 million on unallowable expenses—follow the requirements in the uniform guidance for reporting such events. This includes reporting the act of noncompliance itself and any sanctioning activities your organization has taken to the federal awarding agency. This will keep your organization ahead of any potential repercussions from the federal awarding agency.
For more information and background on the uniform guidance or insight on how key changes and provisions may affect your organization, contact your Moss Adams professional. For previously published articles and resources related to this topic, visit our uniform guidance topic page.