Subrecipient Monitoring – Linking Risk Assessment Results to Levels of Monitoring

As mentioned before, the Uniform Guidance requires pass-through entities to monitor their subrecipients to assure compliance and performance goals are achieved.
 
In a recent previous post, we described the process for conducting a risk assessment of subrecipients. In this post below, we explain how to link the level of monitoring, that the pass-through entity will perform, to the results of the risk assessment.
​
​

(Click here to jump directly to our highlights of the following excerpt.)

Relevant excerpts from the Uniform Guidance:

​§200.331   Requirements for pass-through entities.
 
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
 
(1) Reviewing financial and performance reports required by the pass-through entity.
 
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.
 
(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 Management decision.
 
(e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:
 
(1) Providing subrecipients with training and technical assistance on program-related matters; and
 
(2) Performing on-site reviews of the subrecipient's program operations;
 
(3) Arranging for agreed-upon-procedures engagements as described in §200.425 Audit services.
 
(f) Verify that every subrecipient is audited as required by Subpart F—Audit Requirements of this part when it is expected that the subrecipient's Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 Audit requirements.

 

​Highlights of the Requirement Excerpts Above:

Following are some of the highlights and note-worthy observations of the Uniform Guidance’s requirement excerpts from above:

1. Appropriate monitoring must be performed based on results of risk assessment. 
2. Monitoring must include: 

• Review financial reports – You must review auditors reports and identify findings (e.g., modification of auditors reports, compliance exceptions, weaknesses in internal controls), if any, related to the pass-through entity’s programs. Issue a “Management Decision” on audit findings. (Click the link to view/download the management decision template in Word-format.)
• Review programmatic reports – Any programmatic reports that the pass-through entity requires the subrecipient to submit must be reviewed. Identify any indications of noncompliance or risk.
• Assure single audit filed – The pass-through must verify that subrecipients required to have single audits submit them.
• Ensuring corrective action – Assure that any findings identified in review of the financial reports and programmatic reports are appropriately remedied in a timely manner. The pass-through entity should require the subrecipient to submit a corrective action plan (“CAP”) for any finding. The CAP should include:
  • List of tasks the subrecipient will perform to correct the deficiency. These tasks should be those that the pass-through entity considers likely to resolve the deficiency.
  • Person(s) responsible for completing each task.
  • Required date of completion for each task.

The pass-through entity should review the CAP to:

• Assure it is complete (i.e., all required elements listed above are included);
• Assure it is adequate (i.e., that if subrecipient completes the plan it is likely the problem will be adequately resolved);
• Monitor the subrecipient’s progress on the CAP and that it completes the CAP in a timely manner; and
• Conclude whether the finding was adequately resolved.

 
3.  Monitoring may include: 

• Training and technical assistance – The pass-through entity should provide adequate education (aka “training and technical assistance”) to subrecipient management so they understand the program requirements and pass-through entity expectations. If several subrecipients are weak in the same risk criterion (e.g., revenues and expenses for each award accounted for separately), then the pass-through entity may consider providing training and technical assistance simultaneously to a group of subrecipients.
• Desk reviews – All of the minimum monitoring from above, plus request additional documents from subrecipient, review its performance, and request a corrective action plan as appropriate.
• On-site reviews – All of the minimum monitoring from above, plus visit the subrecipient’s site as needed to review subrecipient’s operations, record-keeping and performance, and request a corrective action plan as appropriate.
• “Agreed-upon-procedures” engagements – All of the minimum monitoring from above, plus engage a CPA to conduct an “agreed upon procedures” review of the subrecipient (procedures to be determined based on the areas of risk for each subrecipient and results of the agreed upon procedures to be used to develop a corrective action plan).
• Other monitoring as determined by pass-through entity.

 

​As each monitoring task is performed, the responsible Agency employee performing the monitoring task shall document in the subgrantee’s file the date, who was involved from the Agency and subgrantee, what tasks performed, the results of the task, and necessary next steps.  

Linking Monitoring to Risk Assessment Results

In a previous blog post, we presented two sample risk assessment checklists/questionnaires: one to be completed by a financial expert based on information available in the subrecipient’s financial report, and one to be completed by pass-through entity program staff based on knowledge of the subrecipient.
The results of the risk assessment should be summarized into a Risk Assessment Summary (click the link to jump to the section to view and/or download the risk assessment summary template.). This summary assigns a weighted risk score for each risk criterion, calculates a risk score for each subrecipient, and visually displays the identified areas of risk. The risk score will be used to determine the level of monitoring required.

There are many acceptable methods to link the results of the risk assessments to the monitoring that will be performed. The level and type of monitoring will likely change as pass-through entities learn from conducting more monitoring.  However, several pass-through entities, that we are working with, are assigning monitoring levels based solely on the risk score. 
For example:
●     85-100 = Minimum monitoring
●     70-84 = Desk review
●     55-69 = On-site visit
●     < 55 = Agreed-upon-procedures

Escalating Sanctions

When a subrecipient does not make progress according to the CAP, the pass-through entity will consider one or all of the sanctions listed below.
Continued lack of progress will require the pass-through entity to escalate sanctions until compliance is achieved; otherwise the pass-through entity will be considered non-compliant with the federal requirements.
​
Possible sanctions can include:
●     Additional training and technical assistance
●     Delay payments to subrecipient until they comply
●     Deny a portion of requested payments for activities not in compliance
●     Suspend or terminate the contract
●     Reduce funding in next contract
●     Decline to renew contract when it ends
●     Initiate federal suspension or debarment proceedings
●     Other legally available actions

---

​Other Blog Posts Related to Subrecipient Monitoring:

We have previously provided guidance on subrecipient monitoring in these blog posts (this list will get more extensive as new posts are added on):
​

• Subrecipient Monitoring Procedures – Basic Terms & Definitions

• Subrecipient Monitoring Procedures – Uniform Guidance Requirements​
• Subrecipient Monitoring Procedures – How to Distinguish Subrecipients from Contractors
• Subrecipient Monitoring Procedures – How to Conduct a Risk Assessment of Subrecipients
• ​Subrecipient Monitoring Procedures – Reviewing Financial and Programmatic Reports

​Watch for upcoming blog posts about the Uniform Guidance requirements:  
 
●      Data Collection

---

If you have questions or would like hands-on advice on how to implement the recommendations in this blog post in your organization, Kevin is available to answer questions via phone or email at no cost to you:

Kevin Harper, CPA
kharper@kevinharpercpa.com
(510) 593-503
​

​​If you'd like to get more free tips, as well as downloadable tools and templates for your agency, please join our mailing list here!  ​
 
(We send 1-2 emails a month at a maximum, and only send useful information. You can unsubscribe at any time.)