Subrecipient Monitoring – How to Conduct a Risk Assessment of Subrecipients

Click here to jump directly to the questionnaires.

Subrecipients are required to be monitored according to the Office of Management and Budget’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (“Uniform Guidance”) by any government or non-profit that passes federal funds to subrecipients. In a previous blog post, we discussed how to determine which entities to which you pass federal funds are subrecipients vs. contractors. 
 
The Uniform Guidance requires pass-through entities to determine the extent of monitoring required of each subrecipient based on the results of a risk assessment. In this post, we go over proposed procedures for assessing subrecipients’ risk of non-compliance with federal regulations and grant provisions, and provide sample questionnaires for determining, quantifying and documenting risk.   

​Following is the relevant excerpt from Section 200.331 of the Uniform Guidance:

All pass-through entities must:

(b) Evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring…, which may include consideration of such factors as:
(1) The subrecipient's prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit…, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)

The Uniform Guidance does not require any particular type or extent of risk assessment. That is left to the judgement of the pass through entity. However, the types of criteria used to evaluate the risk that an organization complies with grant provisions often include:

• How subrecipient management has responded to prior monitoring activities
• Subrecipient management’s experience with the same or similar grants
• Recent changes in subrecipient personnel, systems or procedures
• Subrecipient’s history of meeting requirements, including timely reporting
• Subrecipient’s time in operation (short time in existence increases risk)
• Financial stability:
  • Cash flow problems
  • Lawsuits
  • Negative net assets
  • Debarred/suspended

Evaluating a Subrecipient’s Risk

Working jointly with several of our clients who have a large number of subrecipients, we developed a list of 23 questions designed to evaluate subrecipient risk.
Each of these 23 questions are weighted with a score of 3 to7 points so that there is a maximum available score of 100 for each subrecipient. 

The 23 questions are as follows (they are split between 13 financial risk questions and 10 programmatic risk questions):

 

Financial Risk Questions
Questions that can be answered by reviewing the subrecipient financial statements are included on a Subgrantee Risk Assessment Questionnaire – Financial Risk (click the link to download and view/use the template)​.
​These questions are typically answered by an employee experienced at reading financial reports.
​

​The financial risk questions are:

1. Do the financial statements include all required statements and disclosures?
2. Is the auditors’ report unmodified and are there no compliance exceptions and no internal control weaknesses?    
3. Does this grant represent less than 25% of entity-wide expenditures for the specific federal program?
4. Are current assets sufficient to pay current liabilities as they come due?    
5. Are variations between subrecipient contracted budget and actual expenditures reasonable? 
6. Is unrestricted net position (equity) sufficient to cover at least 3 months of operating costs?   
7. Has the subrecipient operated at a profit each of the past three years?
8.   Are the subrecipient’s operating and overhead expenses reasonable in type and amount compared to similar subrecipients?
9. Are related party transactions reasonable or de minimus?     
10. Has the subrecipient used borrowing, if any, only for acquisition of long term assets?    
11. Are salaries and benefits as a percentage of total costs stable or declining?    
12. Did the subrecipient receive a single audit in the past year?  Was the program audited as a major federal program in the in the past three years?
13. Any other items noted during review of the financial statements (e.g., unfunded commitments or other unrecorded liabilities; lawsuits; subsequent events).     

Programmatic Risk Questions
​​The remaining questions are placed on a Subgrantee Risk Assessment Questionnaire – Programmatic Risk (click the link to download and view/use the template)​.
​These questions are typically answered by an employee who works with subrecipient management based on their knowledge of the subrecipient, review of files, discussion with other County employees dealing with the subrecipient, and discussion with subrecipient management.
​

The programmatic risk questions are:

14.   Is the subrecipient experienced with the program?
15.   Has there been stability in subrecipient key personnel, systems and procedures during the past year?
16.   Has the subrecipient been timely during the past three years in the preparation and submission of required reports, reimbursement requests, budgets, etc.?
17.   Has the subrecipient had an on-site monitoring visit during the last three years?
18.   Was the subrecipient found to be in compliance with regulations during the County’s prior visit, in any County corrective action plan, and/or in audits by other grantors?
19.   Is the subrecipient in good legal standing, with no current or recent lawsuit(s) filed against them?
20.   Is the subrecipient not included on the U.S. General Services Administration’s suspended /debarred list?
21.  Does the subrecipient’s automated accounting system identify the receipts and expenditures of program funds separately for each award?
22.   Does the subrecipient have a time and accounting system to track labor costs by cost objective?
23. Any concerns with the subrecipient, unusual complexity in the program or its compliance requirements, or other risks not otherwise noted.

 

Once both risk questionnaires are completed, answers to the risk questions can be summarized onto a Subgrantee Risk Assessment Summary (click the link to download and view/use the template). This summary visually shows the extent to which each subrecipient is risky and which type of risk criteria is problematic for multiple subrecipients. If multiple subrecipients are having trouble with a particular criterion, the need for additional training and technical assistance may be suggested.
 
After the initial risk assessment is performed for each subrecipient, it is anticipated that ongoing monitoring is adequate to identify new risks as they arise. Therefore, it is generally not necessary to perform risk assessments each year.

​

---

Other Blog Posts Related to Subrecipient Monitoring:

We have previously provided guidance on subrecipient monitoring in these blog posts (this list will get more extensive as new posts are added on):
​

• Subrecipient Monitoring Procedures – Basic Terms & Definitions

• Subrecipient Monitoring Procedures – Uniform Guidance Requirements​
• Subrecipient Monitoring Procedures – How to Distinguish Subrecipients from Contractors

​Watch for upcoming blog posts about the Uniform Guidance requirements:  
 

• Reviewing Financial and Programmatic Reports
• Determining Appropriate Level of Monitoring
• Data Collection

---

If you would like hands-on help on how to improve your subrecipient risk management, please contact Kevin directly for a free consultation:

Kevin Harper, CPA
kharper@kevinharpercpa.com
(510) 593-503

If you'd like to get more free tips, as well as downloadable tools and templates for your agency, please join our mailing list here!  ​
 
(We send 1-2 emails a month at a maximum, and only send useful information. You can unsubscribe at any time.)