Embed Size (px)
Citation preview
6/10/2015
1
Sub-Grantee Risk Assessments
Iris Curtis and John Harvanko
June 19, 2015
• Moderator– Akm Rahman
Operations Branch Chief, Office of Community Services
• Speakers– Iris Curtis
Auditor, Office of Community Services
– John HarvankoLIHEAP Director, State of Minnesota
Agenda
6/10/2015
2
IRIS CURTISOffice of Community Services
• Requirement for Risk Assessment
• Elements of a Risk Assessment
– Prior Experience
– Previous Audits
– Personnel and Systems
– Results of Federal Monitoring
• Evaluation of Risks
Overview
6/10/2015
3
REQUIREMENT FOR RISK ASSESSMENT
• § 75.352 Requirements for Pass-through EntitiesAll pass-through entities must evaluate each sub-recipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the sub-award for purposes of determining the appropriate sub-recipient monitoring.
Risk Assessment Requirements
6/10/2015
4
• Assurance 10 – Section 2605(b)(10)
– Provide that fiscal controls and fund accounting procedures are established as necessary to ensure the proper disbursal of and accounting for the federal funds received
– Controls should include procedures for monitoring the allotted funds
Assurances of State and Tribes
ELEMENTS OF A RISK ASSESSMENT
6/10/2015
5
• Ensure Good Fiscal Accounting and Tracking of LIHEAP Funds– Evaluate Risks Based on These Elements:
• Prior experience with managing LIHEAP
• Review audit results and results of previous state monitoring
• Personnel and systems for managing LIHEAP
• Extent and results of federal monitoring
– Apply Specific Conditions for LIHEAP (if appropriate)
– Monitor the Activities
– Compliance with “Single Audit Act”
Risk Assessments
• Evaluation of Results
Depending upon the State or Tribe’s assessment of risk posed by the sub-grantee:– Provide sub-grantees with training and technical
assistance
– Perform additional on-site reviews of the sub-grantee’s program operations and corrective actions
– Arrange for agreed-upon procedures and engagements to confirm compliance
Assessing Risks
6/10/2015
6
Getting Started
What is the process for assessment
of risk?
How do I assess risk?
EVALUATION OF RISKS
6/10/2015
7
1. What is the sub-recipient’s prior experience with the same or similar sub-awards?
Consider the following: – What is the assessment of current-versus-prior sub-recipient’s
performance?
– Are the objectives/measures reasonable?
– Did they meet prior objectives (funding/performance)?
– Did they meet reporting requirements (timely/accurate)?
Risk Assessment Evaluation
2. What are the results of the previous audits and the State’s monitoring?
Consider the following: – Did the sub-recipient have a single audit?
• If not, did the auditor issue a management letter stating the reasons?
– Were the opinions unqualified?– Is LIHEAP a major program subject to extended compliance testing?– Any findings regarding internal controls or compliance?– What are the results of previous state monitoring?– What is the status of corrective actions?
Risk Assessment Evaluation
6/10/2015
8
3. How well do the sub-recipient personnel and systems perform?
Consider the following: – Are there new personnel managing the LIHEAP Program?
– How long have personnel managed LIHEAP?
– Has the system for managing LIHEAP been functioning effectively?
– Is this a new system for managing LIHEAP?
– Have there been systems’ enhancements and have they been tested?
Risk Assessment Evaluation
4. What are the extent and results of Federal awarding agency monitoring? (e.g., if the sub-recipient also receives Federal awards directly from a Federal awarding agency)
Consider the following: – What were the monitoring results?
– How frequently are they monitored?
– What is the extent of the monitoring?• Are they monitoring the activities of other programs such as LIHEAP?
• Are they evaluating the overall agency’s financial systems?
Risk Assessment Evaluation
6/10/2015
9
Which of these are elements of Risks Evaluation?
• Prior experience with managing LIHEAP
• Review audit and monitoring results
• Personnel and systems for managing LIHEAP
• Extent and results of federal monitoring
Think Fast – Do you know the answer?
?
• Based upon the objective evaluation of each element:
– Address the identified risk.
– Take action to reduce the associated risks.
– Determine appropriate monitoring procedures.
– Develop evaluation criteria for each element!
Risk Assessment Evaluation
Questions and criteria in this presentation are a guide.
6/10/2015
10
AREA EVALUATED RESULTS OF EVALUATION
PRIOR EXPERIENCE • Large remaining balance of unspent funds for the prior year• Number of clients served was less than 70% of plan for prior year
REVIEW AUDIT RESULTS• Single Audit Report completed• Issue of non-compliance with the Community Development Block Grant
(CDBG) federal program (immaterial compliance)
PERSONNEL AND SYSTEMS • New LIHEAP program manager (PM)• New manager was previous deputy program manager with 6 years of
experience with LIHEAP
EXTENT AND RESULTS OF FEDERAL MONITORING
• Department of Labor (DOL) monitored sub-grantee because of construction projects during last program year
• Monitoring limited to only their programs and no findings affecting LIHEAP
Risk Assessment Evaluation
AREA EVALUATED
RISKS ACTION TAKEN
PRIOR EXPERIENCE
• Over-funding sub-grantee• Sub-grantee's inability to serve client
population
• Reduced funding by 10% from previous year, more frequent reporting, and monitoring will be included with the performance review
• Monitoring will include intake processing
REVIEW AUDIT RESULTS
• Risk is low• There could be non-compliance with
LIHEAP program
• Ensure sub-grantee monitoring is performed this program year for LIHEAP
• Focus monitoring on financial compliance
PERSONNEL AND SYSTEMS
• Certain program administrative requirements (Plan Development and Reporting - Deputy was not responsible for this in the past) could be overlooked
• Additional technical assistance in LIHEAP planning will be provided
• Additional monitoring procedures and review of reports by sub-grantee will be implemented
EXTENT AND RESULTS OF
FEDERAL MONITORING
• None; no impact or risk on LIHEAP• This would not impact any plans for
monitoring LIHEAP
Risk Assessment Evaluation
6/10/2015
11
• An effective monitoring plan will:
– Examine and test what is actually happening with the administering of the LIHEAP program.
– Review the program implementation and then determine what should or did not happen.
– Identify findings and concerns that need corrective actions to address going forward in the program.
– Conduct the monitoring at the beginning or during the program period so that corrective actions are put in place before program end.
Risk Assessment Monitoring
• Monitoring may include, but is not limited to:– Ensuring client eligibility according to plan
– Tracking applications for approval
– Verifying Qualified Benefits
– Testing the transmittal (claims) process
– Tracking submission of payment to Utility vendors and or client
– Confirming crisis assistance, if needed
– Providing notification of Fair Hearings for denials
– Establishing procedures to detect waste, fraud, abuse
Risk Assessment Monitoring
6/10/2015
12
• Monitoring Plan Development – Each State and Tribe should develop their monitoring plan based on:
• Their program characteristics
• Their program requirements
• Their program goals
– The State LIHEAP Plan should include the plan for monitoring sub-grantees.
Risk Assessment Monitoring
Additional Monitoring Procedures based on Risk Assessment
Risk Assessment Monitoring
AREA EVALUATEDSPECIFIC MONITORING PROCEDURES
BASED ON SUB-GRANTEE RISK ASSESSMENT
PRIOR EXPERIENCE • Verify number of clients served compared to LIHEAP plan• Assess intake procedures for tracking and approval for efficiencies
REVIEW AUDIT RESULTS• An additional reimbursement claim will be reviewed for this sub-grantee• Verification of supporting documentation for each reimbursement claim
to ensure expenditures are allowable
PERSONNEL AND SYSTEMS • Monitoring will include a review of selected performance reports
submitted by Program Manager (PM)• Training and technical assistance will be specifically offered to PM
EXTENT AND RESULTS OF FEDERAL MONITORING
N/A
6/10/2015
13
JOHN HARVANKOState of Minnesota
Introduction
• MN Risk Assessment Background
• MN Risk Assessment Current
• MN Risk Assessment Future
6/10/2015
14
MN Risk Assessment Background
• The Minnesota Energy Assistance Program (MN EAP)
– The MN EAP began formal risk assessment in 2009 in response to a state audit requiring us to develop an internal control framework (ICF) (to comply with OMB guidance)
– We did not know what ICF was, but were able to organize our existing controls into it in little time
MN Risk Assessment Background
• Initially MN EAP’s risk assessment was fairly basic and informal
– It included the characterization of each sub-grantee as high, medium, or low risk based on information obtained through various oversight processes (e.g., program audits, independent fiscal audits, etc.).
– It focused primarily on the probability of risk occurrence, with little to no attention to the scope of potential impact.
– It was conducted solely on an ad hoc basis with unclear and/or inconsistent criteria.
6/10/2015
15
MN Risk Assessment Current
• Starting Federal Fiscal Year 2014, MN EAP developed and implemented a more comprehensive, documented, and consistent risk assessment methodology
MN Risk Assessment Current
• MN EAP identified two broad categories of potential risk:– Waste, fraud, and/or abuse (funding)
– Poor quality of service to households
• COSO standards for Internal Controls– Thanks to our adoption of the Committee of Sponsoring Organizations
(COSO) standards for Internal Controls, our oversight processes included a variety of means of assessing factors contributing to these two risk categories.
6/10/2015
16
MN Risk Assessment Current
• Acknowledging that neither risk events nor sub-grantees are created equal, we incorporated an assessment of risk impact in addition to risk probability.
IMPACT: The magnitude or size of the risk occurring
PROBABILITY: The likelihood of the risk occurring
MN Risk Assessment Current
• For each broad risk category, MN EAP identified indicators of both risk impact and probability.
• As an incremental step and in order to leverage existing oversight processes:– Indicators were organized around sources of information rather than
specific risk events.
6/10/2015
17
Probability Example
MN Risk Assessment Current
Waste, fraud, and abuseIndicator Source
Findings related to waste, fraud, and abuse Prior year program audit report
Weak organizational capacity Current program assessment visit
Lack of training/experience, staffing fluctuations/organizational characteristics
Annual local plan
Probability Example
MN Risk Assessment Current
Poor quality of serviceIndicator Source
Findings related to quality of service Prior year program audit report
Identified service deficiencies Current program assessment visit
Weak planning related to program service areas
Annual local plan
6/10/2015
18
Impact Example (both risk categories)
MN Risk Assessment Current
Both risk categoriesIndicator Source
Sub-grantee size: # of households served, total benefits paid
Program data
Reputational considerations: sensitive populations, economically depressed areas, natural disaster area
Staff research
MN Risk Assessment Current
• Process Considerations– State staff assigned to gather information for each indicator
– Staff reviews indicator assessment as a group and agrees on overall score for each indicator (1-5)
– While subjective, team consensus assures some level of consistency across sub-grantees
6/10/2015
19
MN Risk Assessment Current
• Risk Assessment Implications– MN EAP has limited resources
– Risk assessment helps in allocation of oversight resources to most risky sub-grantees
– Enables clear and consistent communication of risk to relevant stakeholders
MN Risk Assessment Current
6/10/2015
20
MN Risk Assessment Current
MN Risk Assessment Future
• Future enhancements– Assess risks related to sub-grantee organizational capacity
(or lack of capacity)
– Organize by risk area instead of by source of information:• More meaningful and clear assessment of risk areas
• Improve ability to communicate risk to decision makers
6/10/2015
21
MN Risk Assessment Future
• Future Enhancements: The ConceptOrganize by the “Green Book” Internal Controls Framework:– Control Environment
– Risk Assessment
– Control Activities
– Communication & Information
– Monitoring
• Future Enhancements: Examples– Board Oversight (e.g., composition, involvement)
– Organizational Structure, Responsibility, and Authority (e.g., ED experience)
– Fiscal Management (e.g., fiscal controls, reporting)
• For each area, have specified levels of competence (1-4)– The higher the score, the higher the risk
MN Risk Assessment Future
6/10/2015
22
MN Risk Assessment Future
QUESTIONS & ANSWERS
6/10/2015
23
The next session is:
Federal Updates from the LIHEAP Office
