When your organization passes along federal funding to another organization (as a subrecipient), you also pass the compliance requirements on to them and become a pass-through entity. But is that where your responsibility ends? Unfortunately, the answer is no.
So, how do you ensure the compliance requirements are being followed by the organization you passed the funds through to?
The Office of Management and Budget (OMB) solved this question by the creation of the subrecipient monitoring compliance requirement in 2.CFR.200 Uniform Administrative Requirements, Cost Principals, and Audit Requirements for Federal Awards (Uniform Guidance).
In Uniform Guidance there are items that are considered a “must” and there are items considered a “should.” When Uniform Guidance suggests you “should” do something, the action is considered a best practice recommendation. If the Uniform Guidance uses the word “must,” it is a requirement.
In this article, we will cover what items are considered a “must” versus a “should” as it relates to subrecipient monitoring.
Must: Subrecipient vs. Contractor Determination
Under Uniform Guidance, if an organization passes federal funding down to another organization, the pass-through entity must perform a determination as to whether the organization is receiving the funds as a contractor or as a subrecipient. When performing this determination, the pass-through entity should consider the substance of the agreement over the form.
The Uniform Guidance provides some examples to determine if the organization is a subrecipient or a contractor. However, the examples are not all-inclusive, and the decision requires judgement by the pass-through entity.
The organization may be a subrecipient if it (2.CFR.200.331a):
“… 1) determines who is eligible to receive what Federal assistance; 2) has its performance measured in relations to whether objectives of a Federal program were met; 3) Has responsibility for programmatic decision-making; 4) Is responsible for adherence to applicable Federal program requirements specified in the Federal award; and 5) In accordance with its agreement, uses the Federal funds to carry out a program for a public purpose specified in authorizing statute, as opposed to providing goods or services for the benefit of the pass-through entity. “
Alternately, the organization may be considered a contractor if it (2.CFR.200.331b):
“… 1) Provides the goods and services within normal business operations; 2) Provides similar goods or services to many different purchasers; 3) Normally operates in a competitive environment; 4) Provides goods or services that are ancillary to the operation of the Federal program; and 5) Is not subject to compliance requirements of the Federal program as a result of the agreement, though similar requirements may apply for other reasons.”
If the pass-through entity determines they are disbursing funds to a subrecipient, then the remaining subrecipient monitoring compliance requirements under Uniform Guidance will apply. Either way, it is important that this determination be documented.
Let’s dive into the “must” and the “should” for the subrecipient monitoring compliance requirements.
Must: Subaward Information
Uniform Guidance includes several requirements that must be included in the subaward. The reasoning is to ensure the subrecipient receiving the subaward understands the compliance requirements that are applicable to the federal funds being received.
Subawards are required to include the items related to the federal award identification, such as the award number, amount of the award, federal agency where the funds originated, assistance listing number, among a number of other required items. For the full listing of subaward information required by the Uniform Guidance , see 2.CFR.200.332a. This listing can be used as a checklist against your subaward template to ensure all required elements are present.
The subaward must also include any requirements imposed by the pass-through entity for the organization to comply with federal statutes, regulations, and conditions. This may include additional requirements related specifically to the federal funding and the pass-through entity’s requirements under the award.
Lastly, if the organization has a federally negotiated indirect cost rate, the pass-through entity must accept that rate as part of the award or a lesser rate if required by federal program regulation. If the subrecipient does not have a federally negotiated indirect cost rate, the pass-through entity must determine an appropriate indirect cost rate in collaboration with the subrecipient. This may be the 10% de minimis rate or a separately negotiated rate with the pass-through entity itself. It is important to note that the pass-through entity cannot require a subrecipient to use the 10% de minimis rate if the subrecipient has a federally approved indirect cost rate.
Must: Subrecipient Risk Assessment
Uniform Guidance introduces the concept of a risk assessment for subrecipients.
Under this concept, the pass-through entity must evaluate the subrecipient’s risk of non-compliance with the requirements of the award and the federal statutes/regulations. To assist in the assessment, the pass-through entity may consider developing a compliance questionnaire to send to the subrecipient to document their policies, procedures, and controls. This will help the pass-through entity ensure they understand the controls the subrecipients have in place over compliance requirements.
This assessment is used to inform monitoring the pass-through entity will perform over the subrecipient. The Uniform Guidance does not provide requirements on how the risk assessment is to be performed or documented. As such, pass-through entities are to develop their own subrecipient monitoring policies and related templates to ensure requirements, such as the subrecipient risk assessment, are met and documented.
Uniform Guidance does include some areas to consider in your assessment of risk, but it is not meant to be a comprehensive listing. The examples include the following:
What experience does the pass-through entity have with the subrecipient? Have they worked with the subrecipient on other federal programs? If so, the prior experience may help inform the risk assessment. If the subrecipient had adequate processes and controls in place previously, and there have been no changes, the pass-through entity may consider them lower risk.
Required to Have a Single Audit:
If the subrecipient is required to have a Single Audit, and it is not their first Single Audit, the pass-through entity may determine them to be lower risk. This is because they will have had experience with federal funding. A Single Audit is required if the organization expends $750,000 or more in federal assistance.
Results from Previous Audits:
If the organization has had past audits, such as a Single Audit, the results of those audits may change the risk profile of the subrecipient. If they have had compliance findings or internal control findings in the past, the pass-through entity may consider them higher risk.
Changes in Personnel or Systems:
If the subrecipient has significant changes in personnel or systems, the pass-through entity should consider if this has an impact on their risk assessment. Is there a higher risk of non-compliance due to these changes, or were controls and systems improved with the change?
Extent of Federal Agency Monitoring:
If the subrecipient has been monitored by other federal agencies, the pass-through entity should consider the results of that monitoring in their risk assessment. Alternatively, if the subrecipient has had no monitoring, and only receives funding from the pass-through entity, that may increase the risk profile for the subrecipient.
Must: Subrecipient Monitoring
Once the risk assessment for a subrecipient has been performed, there are certain areas that are a must when it comes to subrecipient monitoring. The pass-through entity must review the reporting that is sent by the subrecipient. This includes all financial and performance reports that are required under the sub-award agreement.
Additionally, the pass-through entity must ensure that the subrecipient is taking timely action against any deficiencies that are noted through audits, monitoring, or notice from the subrecipient. This includes obtaining written confirmation of the issue, the status, and the planned action to resolve the deficiency as it relates to the federal funding under the sub-award.
Should: Additional Monitoring
Based on the risk assessment of the subrecipient, the pass-through entity should consider if additional monitoring is required. Uniform Guidance does not include a comprehensive listing of other monitoring options, but it does include a couple examples:
Training and Technical Assistance:
As the pass-through entity, you may have to provide technical assistance and training over the compliance requirements for the award or other federal requirements. If the subrecipient is new to federal funding, this may be completed in structured and onboarding type training with the subrecipient. If the subrecipient is familiar with federal funding, it may take the form of more informal question-and-answer type training as the need arises.
On-site Reviews or Agreed Upon Procedures:
If the subrecipient is considered higher risk, the pass-through entity may determine that an on-site review of the detail support is needed. This review could be limited to obtaining support for costs charged under the award or it could take the form of an agreed upon procedure. The pass-through entity may hire an independent CPA to perform an agreed upon procedure engagement over the subrecipient and testing more of the compliance requirements, including costs charged.
Ultimately, the level of monitoring will be determined by the risk assessment and the subrecipient monitoring policy developed by the pass-through entity.
Must: Other Requirements
Uniform Guidance includes a few other musts under subrecipient monitoring. The passthrough entity must verify that the subrecipient had a Single Audit if it was required to. With the influx of federal funding being issued due to the Coronavirus pandemic, there has been a significant increase in organizations now being subject to a Single Audit. As a pass-through entity, you must verify that your subrecipients are having one completed if they meet the requirement.
Another must for pass-through entities relates to if there is an issue identified during monitoring. The pass-through entity must determine if the result of the monitoring requires any adjustments on the pass-through entities general ledger or records.
For example, if it is determined that the subrecipient charged unallowable costs to the federal award, the pass-through entity must adjust their records to remove the portion of the unallowable costs and communicate the non-compliance to the federal agency or pass-through agency. This will likely result in reimbursing the federal agency for the unallowable costs, and the pass-through entity will need to work with the subrecipient for this reimbursement.
The pass-through entity must also issue a management decision over any audit finding related to their sub-award with the subrecipient. If the deficiency does not impact their sub-award, they are not responsible to issuing a management decision. The pass-through entity must follow the requirements under 2.CFR.200.521 for the management decision. This is required to be issued within six months of the audit report becoming available on the federal audit clearing house. Additionally, if the finding is cross-cutting with multiple awards, the pass-through entity may consider relying on the management decision from the cognizant federal agency as an alternative. However, relying on the federal agencies’ management decision does not remove the requirement for the pass-through entity to continue to monitor and to determine the impact of the finding on their sub-award.
Lastly, based on the results of the monitoring, the pass-through entity must consider enforcement actions. For example, reimbursement for any unallowable costs or requiring more general ledger and other documentation support for any future reimbursement requests. The pass-through entity may also determine not to renew a subrecipient award as part of the enforcement action. Decisions on enforcement actions should be documented in the subrecipient’s file.
Now that you understand the “must” and “should” of subrecipient monitoring, what are your next steps?
It is important to remember that, even if you are passing funds through to another organization, the pass-through entity still retains the responsibility of ensuring the compliance requirements are followed. To mitigate the risk of passing through federal funds, ensure that you develop a policy and process for subrecipient monitoring that is centered around the risk assessment analysis. Ensure that monitoring is performed at least annually over the subrecipient. Additionally, develop a process for issuing a management decision as this requirement has a time restraint tied to it.
If you determine that subrecipient monitoring is a process that the pass-through entity does not have the bandwidth for, consider outsourcing a portion of the subrecipient monitoring tasks to a third party, such as a CPA firm. While this will not remove the requirements of the pass-through entity, it may add some much-needed bandwidth to achieve subrecipient monitoring in accordance with the Uniform Guidance.
At the end of the day, the pass-through entity must understand their requirements before they pass-through funds to other organizations. Knowing the “must” and the “should” under Uniform Guidance is key to this understanding.
If you have any questions on what is required of you under Uniform Guidance, please send me an email.
© Clark Nuber PS, 2021. All Rights Reserved