Tightening Controls for Federal Awards

by | Oct 1, 2018 | Audit, Nonprofit

Understanding the Requirements for Internal Control over Compliance of Federal Awards

Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved..  It is the first line of defense in safeguarding resource and designed to provide reasonable assurance regarding

  • achievement of objectives in the effectiveness and efficiency of operations,
  • reliability of reporting for internal and external use, and
  • compliance with applicable laws and regulations.

Because of the high degree of regulatory exposure, single audits are high-risk enterprises.  Federal awards under regulation of “Uniform Guidance” (2 CFR 200) require  auditees to design an internal control process that provides reasonable assurance regarding the achievement of objectives to ensure transactions are properly recorded and accounted for, transactions are executed in compliance, and funds, property, and other assets are safeguarded against loss from unauthorized use or disposition.

 What Are Your Internal Control Responsibilities?

Under Uniform Guidance, auditees must establish and maintain effective internal control over federal awards and provide reasonable assurance that those federal awards are managed in compliance with federal statutes, regulations, and the terms and conditions of federal awards.  Additionally, Uniform Guidance recommends that internal controls be in compliance with guidance in the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the “Standards for Internal Control in the Federal Government” (Green Book) issued by the Comptroller General of the United States.

Management considers a variety of factors in relation to expected benefits when designing and implementing internal controls. The complexity of cost-benefit determination is compounded by the interrelationship of controls with operational processes. The costs versus benefits considerations support management’s ability to effectively design, implement, and operate an internal control system that balances the allocation of resources in relation to the areas of greatest risk, complexity, or other factors relevant to achieving the entity’s objectives. We recommend that auditees review the different frameworks that can be used to develop sound internal controls and have provided some examples of common controls that will help meet compliance requirements.

Understanding the Internal Control Frameworks | COSO and Green Book

The COSO Internal Control Framework has become the most widely adopted control framework worldwide.  The framework does not prescribe controls to be selected, developed, and deployed for effective internal control. Therefore, an organization’s selection of controls is a function of management judgment based on factors unique to the entity.

COSO provides three categories of internal control objectives: operations, reporting and compliance. The following is a summary of the five components of internal control under COSO and related principles:

  1. Control environment
    1. Demonstrate commitment to integrity and ethical values
    2. Exercise oversight responsibility
    3. Establish structure, authority and responsibility
    4. Demonstrate commitment to competence
    5. Enforce accountability
  1. Risk assessment
    1. Specify suitable objectives
    2. Identify and analyze risk
    3. Assess fraud risk
    4. Identify and analyze significant change
  1. Control activities
    1. Select and develop control activities
    2. Select and develop general controls over technology
    3. Deploy control activities through policies and procedures
  1. Information & communication
    1. Use relevant information
    2. Communicate internally
    3. Communicate externally
  1. Monitoring activities
    1. Conduct ongoing and/or separate evaluations
    2. Evaluate and communicate deficiencies

The Green Book was written primarily for the federal government, but may also be adopted by state, local, and quasi-governmental entities, as well as not-for-profit organizations, as a framework for an internal control system.

Leveraging the COSO framework and the five components of internal control, the core concept of the Green Book recognizes the direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives). The Green Book also highlights the relationship of internal control to the strategic plan and governance by discussing how an organization’s mission, goals, objectives, sub objectives, and processes should be applied to the overall governance of the organization, enterprise risk management and, finally, internal control.

Examples of Internal Controls over Compliance Requirements

Following are examples of internal controls over compliance requirements that could be implemented in your organization:

  • Activities Allowed/Unallowed & Allowable Costs:
    • Manager approval of expenditures (control activity)
    • PO process (control environment and activity)
    • Review of program budget to actual results (monitoring)
    • Accounting system separately tracks federal and non-federal expenditures (information and communication)
    • Appropriate time and effort tracking system exist (control environment)
    • Payroll costs are allocated appropriately based on established system (control activity)
    • Indirect costs are negotiated and approved as required (control environment, control activity)
  • Cash Management:
    • Manager review and approval of cash draws (control activity)
    • Review of program budget to actual results (monitoring)
    • Routine assessments of cash needs (risk assessment, monitoring)
    • Written procedures are required under Uniform Guidance (control environment)
  • Eligibility:
    • Training requirements for staff completing eligibility determination (information and communication)
    • Checklist completed and signed off for each application (control activity)
    • Supervisory review of eligibility conclusions (monitoring)
    • Realistic case loads (control environment)
  • Equipment and Real Property Management:
    • Process of tracking assets purchased (and disposed) with federal funds (control activity)
    • Accounting system allows for separate identification of property acquired with federal funds (information and communication)
    • Management reviews inventory counts and discrepancies (monitoring)
    • Property tags are used (control activity)
  • Matching, Level of Effort, and Earmarking:
    • Match amounts included in budget (control environment)
    • Review of program budget to actual results (monitoring)
    • Accounting system capability of tracking requirements (information and communication)
    • Supervisory verification that requirements are met (monitoring)
  • Period of Performance:
    • Manager approval of expenditures (control activity)
    • Review of expenditures immediately before and after grant cut-off date to ensure compliance (monitoring)
    • Budgetary process considers term of grant funding (risk assessment)
    • Accounting system prevents processing of expenditure outside of grant period (information and communication)
  • Procurement, Suspension and Debarment:
    • Written procedures are required under Uniform Guidance (control environment)
    • Responsible staff (finance, program manager) have adequate knowledge and experience of responsibilities for procurements of Federal awards (control environment)
    • Code of conduct including conflict of interest policies for individuals with procurement responsibilities (control environment, risk assessment)
    • Utilization of a procurement checklist which is reviewed and maintained in file (control activity, monitoring)
  • Program Income:
    • Accounting system ability to track program income (information and communication)
    • Grant budget (control environment)
    • Analysis of budget to actual (risk assessment)
    • Proper segregation of duties for collection and recording of program income (control activities)
  • Reporting:
    • Manager review and approval of reports (control activity)
    • Personnel preparing reports have the appropriate skills and ability (control environment)
    • Existence of a tracking system to remind staff when reports are due (information and communication)
    • Supervisory comparison of reports to supporting records (monitoring)
    • Existence of policies and procedures for reporting (control environment)
  • Subrecipient Monitoring:
    • Sufficient resources are provided (control environment)
    • Understanding of subrecipient’s system, controls and changes in operations (risk management)
    • Written policies and procedures over subrecipient monitoring (control activity)
    • Use of standard subaward agreement templates (information and communication)
    • Systems to track key subrecipient monitoring actions, dates (monitoring)

As you establish controls over your federal awards, keep these principles in mind and make sure that your organization has designed effective controls for each area that pertains to your specific grant program. It is imperative that you document decisions and processes and keep a clear audit trail of activity.  Also, if designing or improving your organization’s internal controls over federal grant compliance, it’s helpful to always have an auditor’s perspective. Understanding what your auditor is looking for in a single audit can help you develop better processes.

Interested in learning more about COSO and how internal controls are linked to business success?  MJ’s Risk Advisory Experts share their knowledge on our blog in “Integrating Business Strategy and Performance”.

Johnson Olatunji,CPA is an audit senior manager and has over 12 years of experience in Governmental Accounting Standards,financial audits, internal controls, financial reporting, and General Accepted Auditing Standards. Connect with Johnson via email or on LinkedIn.